User: Password:
Subscribe / Log in / New account


Brief items

Chaostables for confusing nmap scans

January 17, 2007

This article was contributed by Jake Edge.

Chaostables is a recently released collection of code that provides a means to confuse an nmap scan. The author, Jan Engelhardt, has provided these capabilities as both netfilter modules for Linux 2.6.18-20 and as iptables rules. He has an excellent description of what he is trying to accomplish and how he does it, as well.

Utilities like nmap (described in an LWN article last year) are often used by those with malicious intent to discover available hosts, open ports, OS versions, and the like to help target their attacks. Chaostables seeks to generate confusing results to these probes. To that end, Engelhardt has derived a set of behaviors that correspond to these types of scans and a set of rules to detect and deflect them.

Since 2.4, the standard way of doing Linux packet filtering is by using the iptables utility which provides a userspace interface to the netfilter kernel modules. Netfilter provides a set of kernel hooks for examining and manipulating network packets and is the framework for Linux firewall implementations. Administrators define rules that identify particular kinds of packets and specify what to do with them; those rules are ordered and collected into chains which are then grouped into tables. All of this packet policy can then be pushed into the kernel via the iptables utility.

The chaostables rules start with dropping some ICMP packets that could reveal the existence of the host and then start concentrating on the kinds of packets sent by scanning utilities. Techniques like TCP stealth, SYN, connect and grab scans are detected and dropped to attempt to hide the host while still allowing 'real' network traffic. These rules are then rolled up into the 'portscan' netfilter module in order to reduce the complexity of the chains that need to be installed.

A second kind of chain provides ways to disguise the underlying system by making Linux appear to be another OS entirely. Network scanning utilities often try to throttle their scans when they detect a system that limits the number of ICMP or RST packets sent per second. Linux is not one of those kinds of systems, but the CHAOS chain makes it look as if it is by limiting RST and ICMP packets to two per second. It also uses the 'random' netfilter rule to generate negative responses on closed ports only some of the time. The net effect is that the scanner will get inconsistent results, sometimes ports will appear closed and sometimes not with the added bonus of potentially slowing down the scan.

The CHAOS chain can be combined with the TARPIT chain to cause ports to appear to be open when in fact they are not. This can slow down a network scan as it attempts to elicit additional information from a seemingly open port. The TARPIT chain can consume router and/or firewall resources by appearing to be an open connection, so chaostables provides the DELUDE chain. It will make ports appear to be open on an initial connect (SYN), but revert to their true closed state for any additional traffic.

Chaostables is quite an interesting use of the netfilter technology and probably uses it in ways that the authors never expected. It may be that only the most paranoid of system administrators will want to implement these chains, but they will be available if needed. In addition, the techniques and code provided in the package are very useful as examples for other applications.

Comments (3 posted)

Security reports

Phishing Attacks Continue to Grow in Sophistication (Netcraft)

Netcraft examines the latest trends in the world of Phishing. "Phishing attacks are continually evolving, as fraudsters develop new strategies and quickly refine them in an effort to stay a step ahead of banking customers and the security community. Here are some of the phishing trends and innovations we noted in 2006".

Comments (none posted)

New vulnerabilities

acroread: multiple vulnerabilities

Package(s):acroread CVE #(s):CVE-2006-5857 CVE-2007-0045 CVE-2007-0046
Created:January 11, 2007 Updated:October 26, 2009
Description: Adobes acrobat reader has the following vulnerabilities:

The Adobe Reader Plugin has a cross site scripting vulnerability that can be triggered by processes malformed URLs. Arbitrary JavaScript can be served by a malicious web server, leading to a cross-site scripting attack.

Maliciously crafted PDF files can be used to trigger two vulnerabilities, if an attacker can trick a user into viewing the files, arbitrary code can be executed with the user's privileges.

SuSE SUSE-SA:2009:049 acroread, 2009-10-26
Gentoo 200910-03 acroread 2009-10-25
Red Hat RHSA-2007:0021-01 acroread 2007-01-22
Gentoo 200701-16 acroread 2007-01-22
SuSE SUSE-SA:2007:011 acroread 2007-01-22
Red Hat RHSA-2007:0017-01 acroread 2007-01-11

Comments (1 posted)

bluez-utils: hidd vulnerability

Package(s):bluez-utils CVE #(s):CVE-2006-6899
Created:January 16, 2007 Updated:May 14, 2007
Description: hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the Mouse and Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack.
Red Hat RHSA-2007:0065-01 bluez-utils 2007-05-14
Ubuntu USN-413-1 bluez-utils 2007-01-24
Mandriva MDKSA-2007:014 bluez-utils 2006-01-15

Comments (none posted)

horde-kronolith: local file inclusion

Package(s):horde-kronolith CVE #(s):CVE-2006-6175
Created:January 17, 2007 Updated:March 7, 2008
Description: Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered string is used instead of a sanitized string to view local files. An authenticated attacker could craft an HTTP GET request that uses directory traversal techniques to execute any file on the web server as PHP code, which could allow information disclosure or arbitrary code execution with the rights of the user running the PHP application (usually the webserver user).
Gentoo 200701-11 horde-kronolith 2007-01-16

Comments (none posted)

kdenetwork: denial of service

Package(s):kdenetwork CVE #(s):CVE-2006-6811
Created:January 11, 2007 Updated:February 1, 2007
Description: The KsIRC 1.3.12 utility in kdenetwork is vulnerable to a remote denial of service attack that can be caused by a malicious IRC server sending a long PRIVMSG string. This causes an assertion failure and an associated NULL pointer dereference.
Gentoo 200701-26 ksirc 2007-01-29
rPath rPSA-2007-0007-1 kdenetwork 2007-01-15
Ubuntu USN-409-1 kdenetwork 2007-01-15
Mandriva MDKSA-2007:009 kdenetwork 2007-01-10

Comments (none posted)

libgtop2: buffer overflow

Package(s):libgtop2 CVE #(s):CVE-2007-0235
Created:January 15, 2007 Updated:August 9, 2007
Description: The /proc parsing routines in libgtop are vulnerable to a buffer overflow. If an attacker can run a process in a specially crafted long path then trick a user into running gnome-system-monitor, arbitrary code can be executed with the user's privileges.
Fedora FEDORA-2007-657 libgtop2 2007-08-02
Red Hat RHSA-2007:0765-01 libgtop2 2007-08-07
Debian DSA-1255-1 libgtop2 2007-01-31
rPath rPSA-2007-0014-1 libgtop 2007-01-23
Gentoo 200701-17 libgtop 2007-01-23
Mandriva MDKSA-2007:023 libgtop2 2007-01-18
Ubuntu USN-407-1 libgtop2 2007-01-15

Comments (none posted)

libneon: denial of service

Package(s):libneon CVE #(s):CVE-2007-0157
Created:January 13, 2007 Updated:January 17, 2007
Description: The URI parser in neon versions 0.26.0 through 0.26.2 has a denial of service vulnerability. Remote servers can cause a crash by sending a URI with non-ASCII characters.
Mandriva MDKSA-2007:013 libneon 2007-01-12

Comments (none posted)

libsoup: denial of service

Package(s):libsoup CVE #(s):CVE-2006-5876
Created:January 13, 2007 Updated:January 29, 2007
Description: The libsoup HTTP library does not sanitize input sufficiently when parsing HTTP headers. This can be exploited to cause a denial of service.
Fedora FEDORA-2007-109 libsoup 2007-01-29
Mandriva MDKSA-2007:029 libsoup 2006-01-26
Ubuntu USN-411-1 libsoup 2007-01-23
rPath rPSA-2007-0015-1 libsoup 2007-01-23
Debian DSA-1248-1 libsoup 2007-01-12

Comments (none posted)

oftpd: denial of service

Package(s):oftpd CVE #(s):CVE-2006-6767
Created:January 16, 2007 Updated:January 17, 2007
Description: By specifying an unsupported address family in the arguments to a LPRT or LPASV command, an assertion in oftpd will cause the daemon to abort. Remote, unauthenticated attackers may be able to terminate any oftpd process, denying service to legitimate users.
Gentoo 200701-09 oftpd 2007-01-15

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2007-0126 CVE-2007-0127
Created:January 13, 2007 Updated:January 17, 2007
Description: The opera browser has a heap overflow vulnerability involving the DHT markers in JPEG files. If a specially crafted JPEG files is read on a web site, arbitrary code may be executed with the privileges of the user.

Also, the createSVGTransformFromMatrix() function does not correctly handle passed-in objects, this can be used to execute arbitrary code.

SuSE SUSE-SA:2007:009 opera 2007-01-15
Gentoo 200701-08 opera 2007-01-12

Comments (none posted)

wget: denial of service

Package(s):wget CVE #(s):CVE-2006-6719
Created:January 11, 2007 Updated:January 23, 2007
Description: The wget http file retriever application has a problem with the ftp_syst function in ftp-basic.c. A malicious FTP server which sends a large number of blank 220 responses to the SYST command can cause wget to crash, resulting in a denial of service.
rPath rPSA-2007-0011-1 wget 2007-01-23
Mandriva MDKSA-2007:017 wget 2006-01-15
Fedora FEDORA-2007-043 wget 2007-01-10
Fedora FEDORA-2007-037 wget 2007-01-10

Comments (2 posted)

wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2006-6808 CVE-2007-0107 CVE-2007-0109
Created:January 16, 2007 Updated:January 17, 2007
Description: When decoding trackbacks with alternate character sets, WordPress does not correctly sanitize the entries before further modifying a SQL query. WordPress also displays different error messages in wp-login.php based upon whether or not a user exists. David Kierznowski has discovered that WordPress fails to properly sanitize recent file information in /wp-admin/templates.php before sending that information to a browser. An attacker could inject arbitrary SQL into WordPress database queries. An attacker could also determine if a WordPress user existed by trying to login as that user, better facilitating brute force attacks. Lastly, an attacker authenticated to view the administrative section of a WordPress instance could try to edit a file with a malicious filename; this may cause arbitrary HTML or JavaScript to be executed in users' browsers viewing /wp-admin/templates.php.
Gentoo 200701-10 wordpress 2007-01-15

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds