HackFest Security: Patch Procrastinators Anonymous February 7 at UAT

Lisa Kachold lisakachold at obnosis.com
Sun Jan 18 21:26:25 MST 2009 

Is it my name or my writing style that bring such silly challenges?

Shirley you can't be serious in that you do not understand in linux what constitutes:

bind9   Name Server (the basis for all name to number authentication) upon which most RFC's for mail, ftp, ssl, web systems and certs is built). 
cups   Printing 
openssl  SSL which provides encryption for SSH, and SSL for web systems
ntp  Network TIME Protocol
squirrelmail  Web based mail system

across many different distros?
Date: Sun, 18 Jan 2009 17:30:42 -0700
From: phrkonaleash at gmail.com
To: plug-discuss at lists.plug.phoenix.az.us
Subject: Re: HackFest Security: Patch Procrastinators Anonymous February 7 at UAT

bind9 is the most prolific DNS server application. It attempts to fill DNS requests.

On Sun, Jan 18, 2009 at 5:20 PM, bmike1 <bmike1 at gmail.com> wrote:

bind9 is a distribution? let's talk about it.... what is it about? what niche does it attempt to fill; does it do so successfully?


On Sun, Jan 18, 2009 at 6:40 PM, Lisa Kachold <lisakachold at obnosis.com> wrote:







Catch the Patch Procrastinators Recovery Group 
Saturday UAT.EDU Noon until 3PM February 7th



Various important patches have only recently been released for various distros including Bind9, OpenSSL, cups & NTP for Ubuntu; Redhat5 Avahi (FC 10) and SquirrelMail.  

So we will demonstrate exploits available for these issues:



1) OpenSSL: (Using Debian)
http://www.metasploit.com/users/hdm/tools/debian-openssl/


Brute Forcing Tools Include:
http://www.milw0rm.com/exploits/5622



http://metasploit.com/users/hdm/tools/debian-openssl/debian_openssh_key_tester.rb



OpenSSL: Examples will also apply to the recent issues with OpenSSL:
Several functions inside OpenSSL incorrectly checked the result after


calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error. The issue


affected the signature checks on DSA and ECDSA keys used with
SSL/TLS for various mail systems and DNS systems built upon OpenSSL also.



We will show an easy 'man in the middle' attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation and segway into a discussion of the MD5 Verisign cert issues.



2) NTP Spoofing: (Using Debian)  NTP Spoofing has been a staple of DoS and remote root exploits since the 1990's.  Usually NTP is selectively allowed to egress DMZ via stateful packet inspection (that will catch spoofed packets) via source and destination (or served via internal NTP daemons).  It's common to spoof the NTP servers while sending exploitive packets.


A new issue has been identified:

http://www.debian.org/security/2009/dsa-1702

A simple exploit using netcat will be demonstrated:


http://cybexin.blogspot.com/2009/01/introduction-to-netcat.html

3) Overview of BEef:
http://www.bindshell.net/tools/beef



We will also look at forensic image from the November Hackfest and discuss ways to protect (arp, VPN/VLAN, Switches, SELINUX) from the inevitable pwnership in a production or users system.

We will not discuss squirrelmail, since it's only a XSS issue (similar to 9 out of 10 running versions of Apache httpd).  We will not discuss Bind9 because it also relates to the OpenSSL malformed signature.  Other PRNG type entropy issues with SSL exist, just waiting to be popularlized, so we will wait for the industry to continue to ignore this and other issues inherent in various protocols.  



Catch us on FreeNode IRC #PLUGLABS

www.Obnosis.com |  http://wiki.obnosis.com | http://hackfest.obnosis.com (503)754-4452


PLUG HACKFESTS - http://uat.edu Second Saturday of Each Month Noon - 3PM



Windows Live™: Keep your life in sync.  Check it out.



---------------------------------------------------

PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us

To subscribe, unsubscribe, or to change your mail settings:

http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



-- 
:-)~MIKE~(-:



---------------------------------------------------

PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us

To subscribe, unsubscribe, or to change your mail settings:

http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


-- 
Thanks and best regards,

Ryan Rix
TamsPalm - The PalmOS Blog
(623)-239-1103 <-- Grand Central, baby!

Jasmine Bowden - Class of 2009, Marc Rasmussen - Class of 2008, Erica
Sheffey - Class of 2009, Rest in peace.

_________________________________________________________________
Windows Live™: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090119/3c8a87db/attachment.htm

More information about the PLUG-discuss mailing list