Security
BackTrack 4: the security professional's toolbox
After a beta period of almost a year, the developers of BackTrack have released the long-awaited successor to version 3. This specialized Linux distribution keeps its focus on security tools for penetration testers and security professionals, but also expands into a new direction: forensic investigations. It comes as a live distribution that is also installable on hard drive, and provides hundreds of open source security tools in a categorized menu hierarchy.
While previous releases
were based on Slackware-derivative SLAX,
BackTrack 4 (code name "pwnsauce") is based on Ubuntu 8.10 ("Intrepid
Ibex"). However, this is not a typical Ubuntu spin-off with a pre-chosen
package set and some eye candy glued on top: many of the tools have
received a custom configuration or patches to accommodate the needs of
security professionals. Therefore, the developers have set up their own
package repositories for updates. Under the hood lies a 2.6.30 kernel with
a variety of patched wireless drivers to "enhance wireless injection
attacks
" as well as some older
wireless drivers for stability.
BackTrack 4 can be downloaded as a 1.5 GB ISO file or as 2 GB VMware image. Actually, the ISO file is all you need in most circumstances: it can be burned to a DVD, written to a USB stick with tools such as Unetbootin or launched as a virtual machine in VirtualBox, VMware, Xen, KVM, and so forth. Instead of using it as a live system, BackTrack 4 can now also be installed from within the live environment, thanks to Ubuntu's Ubiquity installer. The project's website lists tutorials for a couple of installation types, including an installation to hard disk, a dual boot installation, or a persistent installation on a USB stick.
Working with BackTrack
![[frame buffer console]](https://static.lwn.net/images/2010/bt4-fb-sm.png)
After choosing the default option in the GRUB menu, BackTrack starts with a stylish frame buffer console. One can start working right away on the command line, or fire up a graphical desktop environment with startx. This presents the user with a KDE 3 desktop which has some nice tweaks. For example, there is a Run box embedded in the panel at the bottom, which allows applications to be run without invoking a terminal first. However, some of the tweaks are annoying. For example, the KDE desktop welcomes the user with a very loud startup tune and many system sounds are set at an equally loud level. Also keep in mind that, for the sake of security, networking is disabled by default, so the user has to fire it up manually with a /etc/init.d/networking start command.
The purpose of BackTrack is to present a collection of
hundreds of open source security tools. It would be out of the scope of
this article to list them all. Luckily, all these tools are well organized
in different submenus
![[BackTrack menu]](https://static.lwn.net/images/2010/bt4-menu-sm.png)
of the "Backtrack" menu: "Information Gathering", "Network Mapping",
"Vulnerability Identification", "Web Application Analysis", "Radio Network
Analysis", "Penetration", "Privilege Escalation", "Maintaining Access",
"Digital Forensics", "Reverse Engineering", "Voice Over IP", and
"Miscellaneous". Each submenu is further subdivided into
subcategories. Most of the tools are command line utilities, but a nice
feature is that the menu items open a terminal window with the relevant tool showing its usage info (e.g. with the --help option).
The start menu has also some general menus like "Internet", "Graphics", "Multimedia", "System", "Utilities", etc. containing "normal" programs. The nice thing about it is that even some of these programs have a custom configuration. For example, Firefox is configured with the NoScript extension, protecting the penetration tester against malicious JavaScript on hacker websites he probably visits, the Tamper Data extension to view and modify HTTP headers, and the HackBar tool bar to help find and test SQL injections and cross-site scripting (XSS) holes. Moreover, the bookmarks tool bar is filled with some relevant web sites, such as the BackTrack web site and the Metasploit Project. Installing other software is possible with Synaptic or apt-get, which have access to the BackTrack repository, and getting an up-to-date BackTrack is as simple as an apt-get update && apt-get upgrade command.
With each release, BackTrack adds some new software. Starting with BackTrack 4, the distribution supports accelerated password cracking assisted by graphics cards. The Pyrit WPA cracking tool does this using NVIDIA's CUDA. Another newcomer is OpenVAS: previous releases of BackTrack didn't ship with the vulnerability scanner Nessus because of license issues, but BackTrack 4 finally makes up for this with the inclusion of the GPL-licensed OpenVAS.
Forensics
BackTrack 4 adds a new focus, indicated by the new boot menu item "Start BackTrack Forensics". Traditionally, BackTrack wasn't suitable for forensic purposes because it automatically mounts available drives and uses the swap partition it finds on the hard drive. In a forensic investigation of a computer this is obviously a recipe for disaster as it changes last mount times, and also wipes out hidden data in the swap partition which could be important. BackTrack 4 still does all that by default, but not if you start it with the forensics option in the boot menu.
The BackTrack developers have also expanded their collection of tools in the "Digital Forensics" menu. All of this means that BackTrack is now not only useful for penetration testers and security professionals, but also more and more for forensic experts. Of course if used in a forensic investigation it is of utmost importance that BackTrack not go through an unattended boot, as this will use the standard boot mode which 'contaminates' the machine. To be really on the safe side, forensic experts should change the default boot option to the forensic one.
Conclusion
Although BackTrack documentation itself is scarce and fragmentary, this is not a big issue, because it's more about the tools than about the distribution. For people wanting to train their penetration testing skills, the developers offer a "Penetration testing With BackTrack" course. Upon completion of this course, students become eligible to take a certification challenge in an unfamiliar lab. After successful completion of this hands-on challenge, they receive the Offensive Security Certified Professional (OSCP) certification.
More than ever, BackTrack is an excellent Linux distribution for security professionals. With the move from a SLAX-based live cd to a full-blown Ubuntu-based Linux distribution, it's much easier to update the system, install other software or customize the distribution. New tools like OpenVAS and Pyrit are a welcome addition to the security professional's toolbox. In addition, with the increased focus on forensics, the distribution will surely find some use outside the traditional penetration testers' scene.
New vulnerabilities
aria2: denial of service
| Package(s): | aria2 | CVE #(s): | CVE-2009-3617 | ||||
| Created: | January 14, 2010 | Updated: | January 20, 2010 | ||||
| Description: | From the CVE entry:
Format string vulnerability in the AbstractCommand::onAbort function in src/AbstractCommand.cc in aria2 before 1.6.2, when logging is enabled, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a download URI. NOTE: some of these details are obtained from third party information. | ||||||
| Alerts: |
| ||||||
bash: multiple vulnerabilities
| Package(s): | bash | CVE #(s): | CVE-2010-0002 CVE-2008-5374 | ||||||||||||||||||||||||
| Created: | January 14, 2010 | Updated: | September 23, 2011 | ||||||||||||||||||||||||
| Description: | From the Mandriva alert:
A vulnerability have been discovered in Mandriva bash package, which could allow a malicious user to hide files from the ls command, or garble its output by crafting files or directories which contain special characters or escape sequences (CVE-2010-0002). This update fixes the issue by disabling the display of control characters by default. Additionally, this update fixes the unsafe file creation in bash-doc sample scripts (CVE-2008-5374). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
bind: multiple vulnerabilities
| Package(s): | bind | CVE #(s): | CVE-2010-0097 CVE-2010-0290 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 20, 2010 | Updated: | June 28, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-0097) The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-0290) | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
gcc: arbitrary code execution
| Package(s): | gcc | CVE #(s): | CVE-2009-3736 | ||||||||||||||||||||||||||||||||||||
| Created: | January 14, 2010 | Updated: | March 22, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | from the Red Hat security update:
A flaw was found in the way GNU Libtool's libltdl library looked for libraries to load. It was possible for libltdl to load a malicious library from the current working directory. In certain configurations, if a local attacker is able to trick a local user into running a Java application (which uses a function to load native libraries, such as System.loadLibrary) from within an attacker-controlled directory containing a malicious library or module, the attacker could possibly execute arbitrary code with the privileges of the user running the Java application. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
glibc: encrypted password disclosure via NIS
| Package(s): | glibc | CVE #(s): | CVE-2010-0015 | ||||||||||||||||||||
| Created: | January 20, 2010 | Updated: | October 28, 2010 | ||||||||||||||||||||
| Description: | From the Debian advisory: Christoph Pleger has discovered that the GNU C Library (aka glibc) and its derivatives add information from the passwd.adjunct.byname map to entries in the passwd map, which allows local users to obtain the encrypted passwords of NIS accounts by calling the getpwnam function. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
gzip: arbitrary code execution
| Package(s): | gzip | CVE #(s): | CVE-2009-2624 | ||||||||||||||||||||||||||||
| Created: | January 20, 2010 | Updated: | March 8, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. This issue is a reappearance of CVE-2006-4334 and only affects the lenny version. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
gzip: arbitrary code execution
| Package(s): | gzip | CVE #(s): | CVE-2010-0001 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 20, 2010 | Updated: | October 17, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An integer underflow flaw, leading to an array index error, was found in the way gzip expanded archive files compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. If a victim expanded a specially-crafted archive, it could cause gzip to crash or, potentially, execute arbitrary code with the privileges of the user running gzip. This flaw only affects 64-bit systems. (CVE-2010-0001) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-6304 CVE-2009-3556 CVE-2009-4020 CVE-2009-4141 CVE-2009-4272 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 20, 2010 | Updated: | November 5, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: the RHSA-2009:0225 update introduced a rewrite attack flaw in the do_coredump() function. A local attacker able to guess the file name a process is going to dump its core to, prior to the process crashing, could use this flaw to append data to the dumped core file. This issue only affects systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the default value is 0). (CVE-2006-6304, Moderate) The fix for CVE-2006-6304 changes the expected behavior: With suid_dumpable set to 2, the core file will not be recorded if the file already exists. For example, core files will not be overwritten on subsequent crashes of processes whose core files map to the same name. the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV) support in the qla2xxx driver, resulting in two new sysfs pseudo files, "/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete". These two files were world-writable by default, allowing a local user to change SCSI host attributes. This flaw only affects systems using the qla2xxx driver and NPIV capable hardware. (CVE-2009-3556, Moderate) a buffer overflow flaw was found in the hfs_bnode_read() function in the HFS file system implementation. This could lead to a denial of service if a user browsed a specially-crafted HFS file system, for example, by running "ls". (CVE-2009-4020, Low) Tavis Ormandy discovered a deficiency in the fasync_helper() implementation. This could allow a local, unprivileged user to leverage a use-after-free of locked, asynchronous file descriptors to cause a denial of service or privilege escalation. (CVE-2009-4141, Important) the Parallels Virtuozzo Containers team reported the RHSA-2009:1243 update introduced two flaws in the routing implementation. If an attacker was able to cause a large enough number of collisions in the routing hash table (via specially-crafted packets) for the emergency route flush to trigger, a deadlock could occur. Secondly, if the kernel routing cache was disabled, an uninitialized pointer would be left behind after a route lookup, leading to a kernel panic. (CVE-2009-4272, Important) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libthai: arbitrary code execution
| Package(s): | libthai | CVE #(s): | CVE-2009-4012 | ||||||||||||||||
| Created: | January 15, 2010 | Updated: | February 1, 2010 | ||||||||||||||||
| Description: | From the Debian advisory: Tim Starling discovered that libthai, a set of Thai language support routines, is vulnerable of integer/heap overflow. This vulnerability could allow an attacker to run arbitrary code by sending a very long string. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mysql: multiple vulnerabilities
| Package(s): | mysql | CVE #(s): | CVE-2009-4028 CVE-2009-4030 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 18, 2010 | Updated: | January 14, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library (CVE-2009-4028). MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079 (CVE-2009-4030). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openssl: denial of service
| Package(s): | openssl | CVE #(s): | CVE-2009-4355 | ||||||||||||||||||||||||||||||||||||
| Created: | January 14, 2010 | Updated: | April 19, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Debian alert:
It was discovered that a significant memory leak could occur in openssl, related to the reinitialization of zlib. This could result in a remotely exploitable denial of service vulnerability when using the Apache httpd server in a configuration where mod_ssl, mod_php5, and the php5-curl extension are loaded. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2008-7251 CVE-2008-7252 CVE-2009-4605 | ||||||||||||
| Created: | January 20, 2010 | Updated: | April 19, 2010 | ||||||||||||
| Description: | From the Mandriva advisory: libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a temporary directory with 0777 permissions, which has unknown impact and attack vectors (CVE-2008-7251). libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors (CVE-2008-7252). scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors (CVE-2009-4605). | ||||||||||||||
| Alerts: |
| ||||||||||||||
php-ZendFramework: multiple vulnerabilities
| Package(s): | php-ZendFramework | CVE #(s): | |||||||||
| Created: | January 18, 2010 | Updated: | January 20, 2010 | ||||||||
| Description: | From the Zend Framework release notes for 1.97: The following security vulnerabilities are resolved in these releases:
| ||||||||||
| Alerts: |
| ||||||||||
ruby: escape sequence injection
| Package(s): | ruby | CVE #(s): | CVE-2009-4492 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 14, 2010 | Updated: | August 15, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora alert:
A security vulnerability is found on WEBrick module in Ruby currently shipped on Fedora 11 that WEBrick lets attackers to inject malicious escape sequences to its logs, making it possible for dangerous control characters to be executed on a victim's terminal emulator. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
squirrelmail: arbitrary code execution
| Package(s): | squirrelmail | CVE #(s): | CVE-2009-1381 | ||||
| Created: | January 14, 2010 | Updated: | January 20, 2010 | ||||
| Description: | From the CVE entry:
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. | ||||||
| Alerts: |
| ||||||
systemtap: arbitrary code execution
| Package(s): | systemtap | CVE #(s): | CVE-2009-4273 | ||||||||||||||||||||||||||||
| Created: | January 18, 2010 | Updated: | April 27, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: A flaw was found in the "stap-server" network compilation server, an optional part of systemtap. Part of the server is written in bash and does not adequately sanitize its inputs, which are essentially full command line parameter sets from a client. Remote users may be able to abuse quoting/spacing/metacharacters to execute shell code on behalf of the compile server process/user (normally a fully unprivileged synthetic userid). | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
transmission: cross-site request forgery
| Package(s): | transmission | CVE #(s): | CVE-2009-1757 | ||||
| Created: | January 18, 2010 | Updated: | January 20, 2010 | ||||
| Description: | From the Mandriva advisory: Cross-site request forgery (CSRF) vulnerability in Transmission 1.5 before 1.53 and 1.6 before 1.61 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors (CVE-2009-1757). | ||||||
| Alerts: |
| ||||||
virtualbox: multiple vulnerabilities
| Package(s): | virtualbox | CVE #(s): | CVE-2009-3692 CVE-2009-3940 | ||||||||||||
| Created: | January 14, 2010 | Updated: | March 11, 2010 | ||||||||||||
| Description: | From the Gentoo alert:
* A shell metacharacter injection in popen() (CVE-2009-3692) and a possible buffer overflow in strncpy() in the VBoxNetAdpCtl configuration tool. * An unspecified vulnerability in VirtualBox Guest Additions (CVE-2009-3940). | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>