LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Stealthy network penetration

By Jake Edge
July 25, 2012

Following up on the success of its Pwn Plug, a plug-computer-based network penetration tool, Pwnie Express has recently announced a power-strip-based successor: Power Pwn. Both products (and another that lives inside an N900 smartphone) are examples of the increasing capabilities of small, innocuous-looking packages—ones that can gather an enormous amount of sensitive data. But, Power Pwn is interesting for another reason: its development was partially funded by the US government.

For those not up on "leetspeak" (an alternative "language" used by the cracking/hacking and other subcultures), "pwn" may need some explanation. It is essentially a misspelling of "own" and in the cracking community is used to mean compromising or controlling a computer system of some kind. So, "pwning" a system is often the goal of attackers. The term is used widely in security circles as well, such as the Pwnie Awards that are given out at the Black Hat security conference.

So, while Pwnie Express's products are described as penetration testing (pentesting) tools, their names and capabilities make it obvious that they are quite suitable for more offensive tasks as well. Power Pwn is designed to look like (and act like) an eight-outlet power strip or surge protector, with "convenient" Ethernet ports, as well as a USB connector. Even when plugged into the network, it could easily be overlooked behind a desk or in a crowded server room.

But the device has no need to be connected to the network to be useful. It contains high-gain antennas for both Bluetooth and 802.11b/g/n, along with an external 3G/GSM network adaptor. Beyond that, it has a 1.2 GHz ARM processor with 512M of RAM and a 16G flash disk. It runs Debian 6 ("Squeeze") and comes with an impressive array of security and penetration tools.

It's clear that Pwnie Express has done more than just load a bunch of tools on top of the hardware and Debian, though. The device will call home via SSH either over the wired connection or 3G/GSM. There is also the ability to send shell commands to the device via SMS text messages. It can tunnel through firewalls and intrusion prevention systems (IPS). And so on. It could clearly be of use to those of any hat shade—white, gray, or black.

Those interested in the device will have to wait a while, though, as it is currently only available via pre-order (at a hefty $1295), with expected delivery at the end of September. Most of the same features can be found in the Pwn Plug that is available now (though not inexpensively: $795). That device looks like a cross between a wall-wart power supply and a plug-in air freshener—also easily overlooked.

Power Pwn was developed using money from the US Defense Advanced Research Projects Agency's (DARPA) new Cyber Fast Track (CFT) program:

CFT is designed to fund research to be performed by boutique security companies, individuals, and hacker/maker-spaces, and allow them to keep the commercial Intellectual Property for what they create. The goal is not to have these entities focus on solving DoD problems, but rather to fund research efforts these organizations would have considered on their own but are not pursuing due to complexity/cost/time/etc. Where it is an effort that may help the community at large it is almost by definition within the running lanes of CFT to consider. What's good for the community is good for DARPA.

It's tempting to speculate about the uses that the US government might have for a tool like Power Pwn. It's a bit hard to imagine that other, more secretive organizations, such as the National Security Agency (NSA), don't have similar—stealthier—devices already in hand, though. So, DARPA's thinking is likely along the lines of what Pwnie Express CEO Dave Porcello told Wired: "taking the tools that the hackers are using and putting them in the hands of the people that need to defend against the hackers"

Over time, of course, these kinds of devices are only going to get smaller and more stealthy. There are some limits, though, particularly in terms of power and wired networking connections—at least today. But it is clear that attackers are going to have better and better tools over time. In a somewhat different context (remote scanning), Bruce Schneier recently observed:

All sorts of remote surveillance technologies -- facial recognition, remote fingerprint recognition, RFID/Bluetooth/cell phone tracking, license plate tracking -- are becoming possible, cheaper, smaller, more reliable, etc. [...]

We're at a unique time in the history of surveillance: the cameras are everywhere, and we can still see them. Fifteen years ago, they weren't everywhere. Fifteen years from now, they'll be so small we won't be able to see them.

Keeping network intrusion devices from gathering sensitive data—or causing mayhem—is only going to get more difficult over time. Devices like Power Pwn and Pwn Plug are just the beginning. Widespread strong encryption, which will likely need to be deployed on wired networks as well, can help. But that just makes guarding the keys that much more important, of course. It's an arms race.

Comments (none posted)

Brief items

Security quotes of the week

Hopefully, Microsoft is in bed with various governments to allow them to listen in on our calls. This sounds crazy, but no. It would be an ironic twist, but if it were the case, Microsoft would be required to keep the quality high so everyone doesn't bail out and go elsewhere.
-- John C. Dvorak on Skype

With AI systems becoming more common, we have to start worrying about security. A network intrusion may be all the more serious if it is a neural net that is affected. New results indicate that it may be easier than we thought to provide data to a learning program that causes it to learn the wrong things.

If you like ScFi you will have seen or read scenarios where the robot or computer, always evil, is defeated by being asked a logical program that has no solution or is distracted by being asked to compute Pi to a billion billion digits. The key idea is that, given machine intelligence, the trick to defeating it is to feed it the wrong data.

-- Alex Armstrong on poison attacks against AI systems

Comments (5 posted)

New vulnerabilities

asterisk: two denial of service flaws

Package(s):asterisk CVE #(s):CVE-2012-3863 CVE-2012-3812
Created:July 20, 2012 Updated:September 18, 2012
Description:

From the Fedora advisory:

CVE-2012-3863: If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports.

CVE-2012-3812: If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash.

Alerts:
Fedora FEDORA-2012-10324 2012-07-20
Debian DSA-2550-1 2012-09-18
Debian DSA-2550-2 2012-09-26
Gentoo 201209-15 2012-09-26

Comments (none posted)

bash: buffer overflow

Package(s):bash CVE #(s):CVE-2012-3410
Created:July 23, 2012 Updated:April 5, 2013
Description: From the openSUSE advisory:

Bash was fixed to avoid a possible buffer overflow when expanding the /dev/fd prefix with e.g. the test builtin

Alerts:
openSUSE openSUSE-SU-2012:0898-1 2012-07-23
Mageia MGASA-2012-0184 2012-07-29
Mandriva MDVSA-2012:128 2012-08-09
Gentoo 201210-05 2012-10-19
Mandriva MDVSA-2013:032 2013-04-05
Mandriva MDVSA-2013:019 2013-04-04

Comments (none posted)

chromium: multiple vulnerabilities

Package(s):chromium CVE #(s):CVE-2012-2842 CVE-2012-2843 CVE-2012-2844 CVE-2012-2822 CVE-2012-2824 CVE-2012-2828 CVE-2012-2832 CVE-2012-2833
Created:July 23, 2012 Updated:August 15, 2012
Description: From the CVE entries:

Use-after-free vulnerability in Google Chrome before 20.0.1132.57 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to counter handling. (CVE-2012-2842)

Use-after-free vulnerability in Google Chrome before 20.0.1132.57 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to layout height tracking. (CVE-2012-2843)

The PDF functionality in Google Chrome before 20.0.1132.57 does not properly handle JavaScript code, which allows remote attackers to cause a denial of service (incorrect object access) or possibly have unspecified other impact via a crafted document. (CVE-2012-2844)

The PDF functionality in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2012-2822)

Use-after-free vulnerability in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to SVG painting. (CVE-2012-2824)

Multiple integer overflows in the PDF functionality in Google Chrome before 20.0.1132.43 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. (CVE-2012-2828)

The image-codec implementation in the PDF functionality in Google Chrome before 20.0.1132.43 does not initialize an unspecified pointer, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document. (CVE-2012-2832)

Buffer overflow in the JS API in the PDF functionality in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2012-2833)

Alerts:
Mageia MGASA-2012-0177 2012-07-21
Gentoo 201208-03 2012-08-14
openSUSE openSUSE-SU-2012:0993-1 2012-08-15

Comments (none posted)

kdepim: disable code execution by default in HTML email

Package(s):kdepim CVE #(s):CVE-2012-3413
Created:July 19, 2012 Updated:July 27, 2012
Description:

From the Fedora advisory:

It was reported [1],[2] that kdepim enabled Java, JavaScript, and plugin support by default. This could allow for the execution of Java/JavaScript or the loading of remote images in KMail's rendering of HTML email.

Alerts:
Fedora FEDORA-2012-10410 2012-07-19
Ubuntu USN-1512-1 2012-07-19
Fedora FEDORA-2012-10411 2012-07-26

Comments (none posted)

nsd3: denial of service

Package(s):nsd3 CVE #(s):CVE-2012-2978
Created:July 19, 2012 Updated:August 10, 2012
Description:

From the Debian advisory:

Marek VavruĊĦa and Lubos Slovak discovered that NSD, an authoritative domain name server, is not properly handling non-standard DNS packets. This can result in a NULL pointer dereference and crash the handling process. A remote attacker can abuse this flaw to perform denial of service attacks.

Alerts:
Debian DSA-2515-1 2012-07-19
Fedora FEDORA-2012-10893 2012-07-30
Fedora FEDORA-2012-10887 2012-07-30
Fedora FEDORA-2012-11207 2012-08-09
Fedora FEDORA-2012-11203 2012-08-09

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2012-2688 CVE-2012-3365
Created:July 23, 2012 Updated:February 28, 2013
Description: From the Mandriva advisory:

Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an overflow (CVE-2012-2688).

The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors (CVE-2012-3365).

Alerts:
Mandriva MDVSA-2012:108 2012-07-23
Mageia MGASA-2012-0186 2012-07-30
Fedora FEDORA-2012-10936 2012-08-05
Fedora FEDORA-2012-10908 2012-08-05
Fedora FEDORA-2012-10936 2012-08-05
Fedora FEDORA-2012-10908 2012-08-05
Fedora FEDORA-2012-10908 2012-08-05
openSUSE openSUSE-SU-2012:0976-1 2012-08-09
Debian DSA-2527-1 2012-08-13
SUSE SUSE-SU-2012:1034-1 2012-08-24
Ubuntu USN-1569-1 2012-09-17
Gentoo 201209-03 2012-09-23
Red Hat RHSA-2013:0514-02 2013-02-21
Oracle ELSA-2013-0514 2013-02-28
Scientific Linux SL-php-20130228 2013-02-28
CentOS CESA-2013:0514 2013-03-09

Comments (none posted)

tiff: code execution

Package(s):tiff CVE #(s):CVE-2012-3401
Created:July 19, 2012 Updated:August 10, 2012
Description:

From the Ubuntu advisory:

Huzaifa Sidhpurwala discovered that the tiff2pdf utility incorrectly handled certain malformed TIFF images. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Alerts:
Ubuntu USN-1511-1 2012-07-19
Mageia MGASA-2012-0181 2012-07-24
Fedora FEDORA-2012-11000 2012-07-26
openSUSE openSUSE-SU-2012:0955-1 2012-08-06
Mandriva MDVSA-2012:127 2012-08-08
Fedora FEDORA-2012-10978 2012-08-09
Gentoo 201209-02 2012-09-23
Debian DSA-2552-1 2012-09-26
Red Hat RHSA-2012:1590-01 2012-12-18
CentOS CESA-2012:1590 2012-12-19
CentOS CESA-2012:1590 2012-12-19
Oracle ELSA-2012-1590 2012-12-18
Oracle ELSA-2012-1590 2012-12-19
Scientific Linux SL-libt-20121219 2012-12-19
Mandriva MDVSA-2013:046 2013-04-05

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds