Friday, December 31, 2004

Thank You for a Strong Year

The image above comes from my Sitemeter blog statistics page. I'd like to thank all of my readers for making the TaoSecurity Blog part of their Internet experience. We've had about 337 posts this year, on a range of subjects. Our two year anniversary will happen January 8th.

I'd also like to thank those of you who have been reading my Amazon.com book reviews and voting them "useful." I receive no monetary compensation for any book reviews done at Amazon.com or here, but I do like seeing positive feedback on my reviews.

I hope to keep blogging and reviewing as I begin work on my next book, tentatively titled Extrusion Detection: Network Security Monitoring for Internal Intrusions. I'll post information on Extrusion Detection once I have an ISBN, but I expect it to hit bookshelves in the fall. My collaboration with Keith Jones and Curtis Rose called Real Digital Forensics should appear on bookshelves in the summer.

2004 has been a great year, especially with my wife delivering our first child last month. We're looking forward to an excellent 2005, so happy new year everyone.

Thursday, December 30, 2004

Review of Building Firewalls with OpenBSD and PF Posted

Amazon.com just posted my five star review of Building Firewalls with OpenBSD and PF. From the review:
I was an early buyer of the first edition of 'Building Firewalls with OpenBSD and PF' (BFWOAP), but I am confident my opinion applies to the second edition as well. BFWOAP is the perfect book for anyone looking to build an firewall with Pf. Since Pf is now part of FreeBSD, NetBSD, and DragonFly BSD, this book will be helpful to anyone looking to use Pf on those platforms...

The author's blog indicates he is working on a new firewall book that expands beyond OpenBSD and Pf. I hope he is working with an established publisher to ensure his next book has a wider audience."

Wednesday, December 29, 2004

Today's ISC Handler's Diary Is Partially Right, and Then Completely Wrong

I read the following in today's Internet Storm Center Handler's Diary:

"Pay attention, you’re about to read something vitally important: COMPUTERS ARE NOT APPLIANCES. THEY ARE TOOLS. Tools require that their user be skilled. Tools require education and training to use. Tools require a level of involvement beyond that of an appliance because 'tool use' carries with it an inherent danger...

[O]ver the past decade, the computer industry has deliberately ignored the nature of its product. It has attempted to grind off the sharp edges, to put padding on the corners, and to make a 'consumer safe' appliance from these inherently dangerous tools. The current state of security on the Internet is simply reaping the seeds we have sown...

We don’t allow untrained and inexperienced drivers onto our streets, but any yokel with $9.95 a month can get on the Internet...

The time has come for change. Users cannot continue to proxy the responsibility for their security to others. If they’re going to use this tool, they need to be trained or they need to pull the plug (or have the plug pulled for them).

What can you do? Teach.

Organize a community 'adult ed' class to teach people security basics. Sit Aunt Sophie down and make sure that she has (and, more importantly, understands why she needs) a firewall and virus scan. Check with your local School District and make sure that while they’re teaching the impressionable young ‘uns how to create a graph using Excel, that they’re also teaching them safe computing habits. Scout your neighborhood over the next week, looking for discarded Christmas computer boxes, and knock on the door and offer your services.

We’ll all be glad you did."

The correct part is the statement that "computers are not appliances." Everything else is completely unrealistic. I sympathize with the Incident Handler who posted this advice, but I disagree with his proposed remedies.

According to Internet World Stats, as of October 2004, the United States had almost 200 million Internet users -- over 2/3 of the population. If 97% of of those users were taught to behave "properly" or "safely" on the Internet, that would still leave 6 million "risks." Why did I choose 97%? That's the United States literacy rate. (Forget about those who are "functionally illiterate"; that makes the situation even grimmer.) If we can't even get every American to read, how can we teach everyone to be "safe" on the Internet?
The Incident Handler mentioned drivers in his report, so consider this angle. A mid-2003 story based on Bureau of Transportation Statistics data reports there were "204 million vehicles and 191 million drivers" in the United States. That's about the same population size as our Internet user base.

I am one of those 191 million drivers, and I am not an automobile aficionado. I like to watch Pimp My Ride and Monster Garage, but I have zero interest in making any of those modifications myself. My car is transportation, period.

Consider how my vendor takes care of me, and the role I play in my car's operation. I receive recall notices from the manufacturer that entitle me to return the vehicle for free-of-charge repairs if my safety is affected. My only maintenance involves regular oil changes, fluid changes, and regular wear-and-tear part replacements (tires, belts, etc.) I take the car to the mechanic periodically and I pass my state emissions and safety inspections. For all intents and purposes, my car is an appliance, like my water heater, HVAC, and vacuum cleaner.

The problem with personal computers is that vendors and too many security pundits expect users to be experts. They expect users to have the same level of interest in their PC that an automobile enthusiast has in his or her car. Whose fault is that? I put the blame on the vendors and security pundits who propose "security awareness" and blame users for security problems.

Here's the real wake-up call: 90% or more of the population doesn't care at all about how their PC works. The vast majority treat their PCs like I treat my car. All they want is to check their email, browse the Web, pay their bills, order goodies from online vendors, and play games. A freakishly small proportion of Internet users mod their PC cases, run non-Windows operating systems, overclock and watercool their CPUs, and know what an IP address, port or protocol is.

The bottom line is simple: we can't expect people to care about their computers any more than they care about their cars, or TVs, or microwaves, or other appliances. We need vendors to sell more appliances (like thin clients connected to supportive ISPs) and less general purpose personal computers. The burden must be on the vendor and perhaps the ISP to provide a general-audience-safe appliance, not a ticking time bomb with a five minute fuse.

(Incidentally, I am a vehemently anti-socialist libertarian who believes people should take care of themselves. Using the Handler's "tool" analogy, I don't think vendors should be allowed to sell wood saws without guards, that shatter and disperse metal fragments from poorly-built blades, or that can only be used safely by master craftsmen with years of training.)
Consider a final angle. Why is TiVo so popular? TiVo puts a powerful capability into a simple package. You don't have to be a "TV expert" or receive "training" to record shows with your TiVo or pause and rewind live television. TiVo wins because it doesn't expect its users to go to the lengths necessary to support the personal computer. (Power users can still modify their TiVo if they like.)

I think vendors should take a closer look at the evolution of the automobile and the success of the TiVo, then reconsider the products they sell. Some smart ISP is going to make a lot of money renting or giving away thin client technology paired with subscription-based broadband Internet access. Add in centralized, anywhere-Web-accessible data storage, backed by local USB token storage, and you have an incredible, powerful, centrally-protected and managed computing platform for the 90% of the population that doesn't care. Appliances are the answer for the vast majority who doesn't want to tinker with their technology, and we need vendors to sell and support them.

Tuesday, December 28, 2004

Review of The Unabridged Pentium 4 Posted

Amazon.com just published my four star review of The Unabridged Pentium 4 : IA32 Processor Genealogy. From the review:

"Page 1 of 'The Unabridged Pentium 4' (TUP4) claims 'there is real value in understanding how the architecture has grown over the years,' where the 'architecture' is the IA-32 register set, instruction set, and software exceptions. If you accept this premise, you will find TUP4 to be a valuable book. If you are looking for detail on the lowest-level of programming on IA-32, you should download Intel's free IA-32 Intel Architecture Software Developer's Manual.

Readers looking for information on IA-32 architecture can first turn to three free books Intel provides in .pdf format: Volume 1: Basic Architecture (448 pp); Volumes 2A (580 pp) & 2B (416 pp): Instruction Set Reference; and Volume 3: System Programming Guide (838 pp), for a total of 2282 pp. Volume 1 describes the basic architecture and programming environment of an IA-32 processor. Volumes 2A & 2B are aimed at application programmers and describe the instruction set of the processor and the opcode structure. Volume 3, for OS engineers and BIOS designers, describes the OS support environment of an IA-32 processor and IA-32 processor compatibility information."

I'll admit to not reading every word of this 1600+ page book. I read a good deal of the non-table material, especially in the foundational 386 material.

I'd like to thank everyone who has voted my Amazon.com reviews "helpful." Since I last mentioned my vote count, almost exactly one year ago, I've added over 500 votes to surpass the 2000 helpful vote count. It's tough for me to "compete" with so-called "reviewers" who cannot possibly read all the books they review. (Some claim to "read" and "review" five technical books per day!) I hope the quality of my reviews and the lack of rambling about topics related to the book at hand demonstrate value to readers.

You can see what I plan to read next on me reading page and potential reading candidates on my Amazon.com Wish List. My reviewing pace will slow as I enter 2005, since I'll spend several months writing another book. Expect to see my review pace pick up again by mid-year.

Sunday, December 26, 2004

UNIX History in Detail

I just finished reading the primary two parts of an advocacy piece called Elements of Operating System and Internet History: A FreeBSD Rationale. It appears to be self-published by the author, Bruce Montague. Dru Lavigne made me aware of this work in her blog. The first 64 pages are divided between a 22 page "FreeBSD Executive Summary" and 42 pages on "Unix History, Open Source, and FreeBSD." The third section, which I plan to browse later, consists of 74 pages of various bits of UNIX and Internet trivia.

I found the sections describing UNIX history to be very informative and detailed. The author makes the point that the BSD license supports technological transfer of software from the university to the commercial space, while the GPL was explicitly designed to inhibit technology transfer (pp 14, 18). I was surprised to learn that early hardware vendors encouraged users to write their own software, and in many cases sold user-developed software. Even more shocking was the revelation that the US government, now infected by Microsoft, mandated UNIX for all federal OS purchases in 1986!

The first 64 pages form a coherent whole, but I stopped reading when they ended. The next pages are a collection of trivia. For example, the author claims that the UNIX 'dd' command is so named because its parameters (like 'if=/dev/zero') take the form of IBM JCL 'DD' commands (p 70). These and other tidbits are best read during free moments, perhaps waiting for something to compile on a slow machine.

I think this work could be expanded to a full book if the author explained FreeBSD history beyond the launch of 386BSD. At lot has happened since the 1991 Dr Dobb's Journal articles cited by Montague. I would welcome seeing him describe the launch of FreeBSD, NetBSD, and OpenBSD, as well as more recent innovations like Mac OS X, Darwin, and DragonFly. I would also like to see him analyze the publication of the The 1994 USL-Regents of UCal Settlement Agreement published by Groklaw.

Bruce Montague's work is available through Trifusil Publishing.

FreeBSD Foundation Exceeds Its Goals

I'd like to thank everyone who donated to the FreeBSD Foundation. In less than five days we raised almost $40,000! That's simply amazing. Check back in with the Foundation in January when their Web site is redesigned.

Saturday, December 25, 2004

Review of Introduction to Microprocessors and Microcontrollers Posted

Amazon.com just posted my four star review of Introduction to Microprocessors and Microcontrollers. From the review:

"I reviewed the 1998 edition of this book, 'Introduction to Microprocessors,' (ITM) about a year ago. I gave that book five stars for bringing the internal workings of CPUs within the reach of the computer layman. This new 2004 edition, 'Introduction to Microprocessors and Microcontrollers,' (ITMAM) isn't quite the update I expected, but it's still a great book.

The major differences between ITM and ITMAM involve a few sections. First, material on the Alpha 21164 microprocessor is replaced by a discussion of the AMD Athlon XP. Second, two chapters on microcontrollers are added. Author John Crisp defines a microcontroller as essentially a microprocessor with some ROM and RAM on a single chip. Third, Crisp briefly discusses the innards of popular game consoles in ch 11. Finally, a short discussion of writing assembly language adds another layer to the new edition. "

Friday, December 24, 2004

Try Identity Vector for Your Web Hosting Needs

Last month I switched my TaoSecurity.com Web-hosting provider to IdentityVector Solutions. The owner is a fellow US Air Force Academy graduate and a colleague at my day job with ManTech. Phil has the following to say about his offering:

"IdentityVector Solutions (IVS) provides customized Linux-based web and email hosting services, primarily to small- and medium-scale clients. Rather than providing "cookie-cutter" package solutions that include options many clients would not need, our clients pick a complement of individual services that will meet their requirements. IVS then works with clients one-on-one to ensure that our systems are configured to meet their requirements. All IVS staff members are Red Hat Certified Engineers. Sign up for a consultation online."

I've been very pleased with the quality of service and the price I pay to receive it.

TaoSecurity.com Exclusive: Keeping FreeBSD Applications Up-To-Date

I am happy to announce the publication at TaoSecurity.com of Keeping FreeBSD Applications Up-To-Date. This is the sequel to my article Keeping FreeBSD Up-To-Date. The new article takes the same case-based approach I used in the first paper.
The article's sections include:

  • Introduction

  • Installation Using Source Code

  • Installation Using the FreeBSD Ports Tree

  • Installation Using Precompiled Packages

  • Updating Applications Installed from Source Code

  • Updating Packages by Deletion and Addition

  • Updating the Ports Tree, Part 1

  • Manually Updating a Package Using the Ports Tree

  • Updating Packages with Portupgrade, Part 1

  • Updating Packages with Portupgrade, Part 2

  • Updating the Ports Tree, Part 2

  • My Common Package Update Process

  • Creating Packages on One System and Installing Them Elsewhere

  • Addressing Security Issues in Packages

  • Conclusion

  • Acknowledgements

  • References


Sections show commands to run, explanations of what they do, sample output, applications versions, and pros and cons of each upgrade method. Please send feedback to taosecurity at gmail dot com.

When I get a chance, I will test putting 'BATCH=YES' in /etc/make.conf to accept interactive defaults for all ports. I also want to test the ability of Portupgrade to update ports with vulnerabilities by using this option:

-m '-DDISABLE_VULNERABILITIES'

I thought this thread discussing people's /etc/make.conf entries was interesting.

Thursday, December 23, 2004

Details on the Snort DoS Condition

You may have heard of an exploit for a denial of service condition in Snort. In short, according to Snort.org, "You are only vulnerable if you are running snort with "FAST" output (which isn't very fast) or in verbose mode... Using barnyard? Using snortdb? You are not vulnerable."

Exploit code is here:

http://www.k-otik.com/exploits/20041222.angelDust.c.php

Lurking in #snort and #snort-gui on irc.freenode.net, I learned the following about this vulnerability by listening to Marty. I hope he doesn't mind being quoted in the hopes of getting this information out to reassure the community:

roesch: it's a bug that gets manifested by the packet printers in log.c
roesch: if you use the -v switch when you run snort you can
have a problem, if you're not running the tcp protocol
printer in log.c (i.e. using the -v switch or logging in
default ascii logging mode) then you're not affected
roesch: so if you're running snort as an IDS (which most
people are) then you're fine
roesch: the problem is that we increment the opt_count too
early in DecodeTCPOptions
roesch: it crashes when the null ptr is dereferenced in
PrintTcpOptions
roesch: a null ptr deref is where we try to look at memory
at address 0 on the computer and it tells us to pi$$ off
roesch: basically
roesch: the problem is on line 3035 of decode.c
roesch: the crash comes on line 1556 of log.c for angeldust
roesch: doesn't seem to be any way to whack
tcp_options[].data pointer
roesch: so I don't think it's remotely exploitable

Nedit: Simple, Mouse-driven GUI Text Editor

I don't install desktops like Gnome or KDE on my workstations, so I try to avoid graphical applications that have a lot of dependencies. However, when I write articles, I try to avoid composing them in vi. I find vi is fine for editing configuration files or Web pages, but I like to be able to select text with a mouse when composing large articles.

Previously I installed Gedit, a Gnome application that ends up carrying a lot of baggage with it. Today on one of my workstations I removed Gedit and as much else as I could using pkg_cutleaves. Then I installed Nedit, a great little GUI text editor with mouse support. While Gedit requires over 60 dependencies, Nedit has only 8. I recommend checking Nedit out if you need a GUI text editor with a light system footprint.

Tuesday, December 21, 2004

Understanding Tcpdump's -d Option, Part 2

In September I referenced a post by libpcap guru Guy Harris explaining outfrom from Tcpdump's -d switch. After looking at the original 1992 BSD Packet Filter (.pdf) paper and the subsequent 1999 BPF+ (.ps) paper, I understand the syntax for the compiled packet-matching code generated by the tcpdump -d switch. For example:

fedorov:/usr/local/etc/nsm# tcpdump -n -i em1 -d tcp
tcpdump: WARNING: em1: no IPv4 address assigned
(000) ldh [12]
(001) jeq #0x86dd jt 2 jf 4
(002) ldb [20]
(003) jeq #0x6 jt 7 jf 8
(004) jeq #0x800 jt 5 jf 8
(005) ldb [23]
(006) jeq #0x6 jt 7 jf 8
(007) ret #96
(008) ret #0

Here is what each instruction means:

  • 000 says load (using 'ldh') the "half word" or two bytes starting at offset 12 of the Ethernet header. Since we begin counting at 0, bytes 0 to 5 are the destination MAC address and bytes 6 to 11 are the source MAC address. The name of the two bytes beginning at offset 12 differs according to the Ethernet format used.

  • 001 compares the two bytes loaded in 000 with the value 0x86dd. That is the Ethertype of IPv6. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 002. If false, jump ('jf') to 004.

  • 002 loads the byte found at offset 20. If we are evaluating this instruction we are in an IPv6 header. Offset 20 holds the "next header" value.

  • 003 compares the byte loaded in 002 with the value 0x6. This is the IP protocol code for TCP. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 007. If false, jump ('jf') to 008.

  • 004 compares the byte loaded in 000 with the value 0x800. That is the Ethertype of IPv4. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 005. If false, jump ('jf') to 008.

  • 005 loads the byte found at offset 23. If we are evaluating this instruction we are in an IPv4 header. Offset 20 holds the "protocol" value for the protocol following the IP header.

  • 006 compares the byte loaded in 005 with the value 0x6. That is the protocol value for TCP. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 007. If false, jump ('jf') to 008.

  • 007 is the equivalent of "TRUE", meaning that the indicated number of bytes (96) of packet data will be copied to the calling application (in this case, Tcpdump). You reach this point if the packet being inspected is TCP, either using IPv4 or IPv6.

  • 008 is the equivalent of "FALSE", meaning zero bytes of packet data will be copied to the application. You reach this point if the packet being inspected is not TCP.


Understanding this syntax is a way to troubleshoot BPFs that don't behave as you expect. You can run 'tcpdump -d' and inspect the code as explained above to see if it performs as you want.

For those of you wanting a definition of a packet filter, here is what I've come up with based on the original paper, The Packet Filter: An Efficient Mechanism for User-level Network Code (.pdf): a packet filter is a kernel-resident packet demultiplexer that provides a way for userland processes to tell the kernel what packets they want. For more detail, I recommend reading the three papers mentioned in this story. Guy Harris also posted a message to tcpdump-workers explaining BPF.

Help FreeBSD Foundation Retain Non-profit Status

The FreeBSD Foundation's new quarterly newsletter reports that maintaining non-profit 501(c)3 status requires donations totaling US$30,400 by 31 Dec 04. While it's technically possible to retain non-profit status without those donations, the appeal process "can be a lengthy and expensive ordeal."

Can the FreeBSD community meet the goal by donating via PayPal (click on the "donate" image)? I just donated $100 to the Foundation via PayPal, so the amount is no bigger than $30,300 now. If you donate, post a reply here!

If you're wondering what the Foundation does, the new newsletter reports that it:

  • sponsors events like AsiaBSDCon

  • purchases hardware for developers to write drivers, etc.

  • contributes to the performance cluster

  • sponsors developers to code SMPng

  • supports bringing Java 5 to FreeBSD


The Foundation seems to be taking a much more active and public role, which will be publicly visible in a new Web site on 1 January.

Update: If you do donate via PayPal, be sure to specify a "shipping address." The FreeBSD Foundation treasurer informed me via email that the IRS requires the Foundation to mail a receipt to every contributor. I neglected to do so, so I replied with my address via email.

Monday, December 20, 2004

Book Reviews and Citations

I am happy to report a few more satisfied book reviewers. First, thank you to security sage Rik Farrow for his December 2004 USENIX ;login review (.pdf).

Second, I'd like to thank David Bianco for his December 2004 Information Security magazine book review (published at InfoSecBooks.com). David is the same David Bianco featured in this priceless 1995 newspaper article titled Computer Security: "Gotta Be Sneaky". In the article David advocates the importance of computer security. Unfortunately, a member of his audience disagreed:

"[Name censored to protect the foolish], a former naval intelligence officer and president of Agent Knowledgebase Associates in Virginia Beach, didn't seem concerned about on-line incursions.

'The security issue is overblown. How many people do you see using secure telephones?' he said. 'I don't see a need for computer security. Everything I do is public information. There's nothing to protect.'"

I'll let this comment speak for itself. I'd also like to give a shout-out to David's InfoSecPotpourri blog, which is updated very frequently with useful commentary on security issues.

Finally, it seems one of the SANS incident handlers has a positive opinion of my book too. Thank you!

Review of The Hacker Ethic Posted

Amazon.com just posted my three star review of The Hacker Ethic. From the review:

"I bought and read this book because I enjoy reading about hacker history and culture. When I started, I simply read and flipped pages, thinking I wouldn't find much of deep importance. After about 20 pages I was extremely interested in the book and started underlining the author's main points. By chapter 5, and especially in chapter 6, the author lost my attention and I ended up giving this book a three star review."

Sunday, December 19, 2004

Upgrading to the New Java Patchset

Last month I described how I installed Java on my production server and laptop. Today my Portupgrade run showed that my JDK was out-of-date:

jdk-1.4.2p6_7 < needs updating (port has 1.4.2p7)

Sure enough, a visit to freshports.org/java/jdk14 showed a new patchset, number 7, was released at EyesBeyond.com. Prior to updating, here's how my Java version reported itself:

orr:/home/richard$ java -version
java version "1.4.2-p6"
Java(TM) 2 Runtime Environment, Standard Edition
(build 1.4.2-p6-root_04_dec_2004_17_50)
Java HotSpot(TM) Client VM
(build 1.4.2-p6-root_04_dec_2004_17_50, mixed mode)

I used Portupgrade to upgrade and build a package with the new Java patchset on the server and then made it available via NFS to my laptop. When I was done upgrading, here is what pkg_info and the Java client reported:

orr:/home/richard$ pkg_info | grep jdk
jdk-1.4.2p7 Java Development Kit 1.4.2
orr:/home/richard$ java -version
java version "1.4.2-p7"
Java(TM) 2 Runtime Environment, Standard Edition
(build 1.4.2-p7-root_18_dec_2004_18_09)
Java HotSpot(TM) Client VM
(build 1.4.2-p7-root_18_dec_2004_18_09, mixed mode)

If you're confused by the numbering scheme associated with these versions, this freebsd-java thread is helpful.

Review of Building Open Source Network Security Tools Posted

Amazon.com just posted my five star review of Mike Schiffman's Building Open Source Network Security Tools. From the review:

"Books on hacking, cracking, exploiting, and breaking software seem to get all of the attention in the security world. However, we need more works like Mike Schiffman's 'Building Open Source Network Security Tools' (BOSNST). I regret having waited so long to read BOSNST, but I'm glad I did. Schiffman's book is for people who want to build, not break, software, and the way he describes how to create tools is enlightening.

The major theme I captured from BOSNST was the importance of creating useful code libraries. Six of the book's 12 chapters focus on libraries which provide functions for application programmers. While not all have gained the same amount of fame or use, the author's approach remains sound. Libraries are the building blocks around which numerous tools can and should be built."

Mike is a researcher at Cisco's Critical Infrastructure Assurance Group. He appears to be working on a new book called Modern Network Infrastructure Security, Volume I: The Protocols with Jeremy Rauch. I believe the new book will be great.

Saturday, December 18, 2004

Northern Virginia BSD Users Group?

I was approached by a member of the NYC BSD Users Group recently. He asked if there was a DC area BSD users group. That got me thinking... are any readers interested in participating in a northern Virginia BSD users group? If you are, email me at taosecurity at gmail dot com. I might also post to some mailing lists, but it would be nice to get a head start here. Thank you.

Friday, December 17, 2004

Open Vulnerability Assessment Language

Jay Beale's excellent new article "Big O" for Testing brought MITRE's Open Vulnerability Assessment Language project to my attention. I didn't understand how this project was different from MITRE's Common Vulnerabilities and Exposures project until I looked at OVAL's details.

Consider CAN-2003-1048. This is Microsoft Security Bulletin MS04-025, which described multiple problems with vulnerable versions of Internet Explorer. If you look at the CVE entry, you'll see the following information:

- Name: CAN-2003-1048 (under review)
- Description: Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.
- References:
-- FULLDISC:20030902 New Microsoft Internet Explorer mshtml.dll Denial of Service?
-- URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=106248836920737&w=2
-- FULLDISC:20040902 AW: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll
-- URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=106251714116250&w=2
...edited...
Phase: Assigned (20040720)
Votes:
Comments:

We see that the CVE entry is a way to link together all of the different references and names for this particular vulnerability.

If we check the OVAL-ID, we see information on how to check for the presence of that vulnerability:

Status: ACCEPTED
CVE-ID: CAN-2003-1048
Platform(s): Microsoft Windows ME, Microsoft Windows NT, Microsoft Windows 2000, Microsoft Windows XP
Version: 1
Summary: Refer to CVE-ID
Description: Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.
Definition Synopsis:
-- Vulnerable software exists
* Internet Explorer 6 Service Pack 1 is installed
* the version of mshtml.dll is less than 6.00.2800.1458
* NOT the patch kb832894 is installed (Installed Components key)
-- Vulnerable configuration
Your machine is vulnerable if ...

vulnerable software section:
Internet Explorer 6 Service Pack 1 is installed
------------------------------------------------------
-- registry_test:
+ the hive 'HKEY_LOCAL_MACHINE' exists
+ the key 'SOFTWARE\Microsoft\Internet Explorer' exists
+ the name 'Version' exists
+ the value equals '6.00.2800.1106'

AND

the version of mshtml.dll is less than 6.00.2800.1458
------------------------------------------------------
-- file_test:
+ the file %WinDir% \system32\mshtml.dll exists
+ the version is less than '6.0.2800.1458'

AND NOT

the patch kb832894 is installed (Installed Components key)
------------------------------------------------------
-- registry_test:
+ the hive 'HKEY_LOCAL_MACHINE' exists
+ the key 'SOFTWARE\Microsoft\Active Setup\Installed Components\{2298d453-bcae-4519-bf33-1cbf3faf1524}' exists
+ the name 'IsInstalled' exists
+ the value equals 1

Besides the "pseudocode" above, SQL and XML renditions of the vulnerability are available.

This language seems incredibly useful. Just seeing the pseudocode helps me understand what needs to happen to resolve the specified vulnerability. In July Javier Fernandez-Sanguino mentioned OVAL on the nessus-announce mailing list, but I wasn't able to track down any more recent references to integrating OVAL into Nessus.

Ripping Into ROI

In April I wrote Calculating Security ROI Is a Waste of Time. The latest print issue of Information Security magazine features a story by Anne Saita that confirms my judgement:

"If you find executives resisting your security suggestions, try simply removing the term 'ROI' from the conversation.

'ROI is no longer effective terminology to use in most security justifications,' says Paul Proctor, Vp of security and risk strategies for META Group. [Paul is also author of the excellent book Practical Intrusion Detection, where he correctly said 'there is no such thing as a false positive.']

Executives, he says, interpret ROI as 'quantifiable financial return following investment.' Security professionals view it more like an insurance premium. The C-suite is also wary of the numbers security ROI calculators crunch.

'Bottom line is that most executives are frustrated and no longer interested in hearing this type of justification,' Proctor says. Instead, express a technology's or program's business value, cost/benefit analysis and risk assessment."

Amen.

Fedora Available via CVS

Last month I answered PHK's "Why Bother?" with FreeBSD Question. Reason 3 was "3. All FreeBSD source code is available via CVS. Rather than delete the latest issue of Red Hat Magazine, I should have paid attention to the Fedora Status Report. It notes that the The Fedora Project CVS Repository is now operational. You can now browse the Core or Extras CVS trees. This is a great development for the Fedora Core community, but it's not the same as what's available for, say, FreeBSD. The Fedora Core CVS gives greater access to the packages available in Fedora Core. I believe this is a result of the package-oriented installation process of Red Hat and Fedora distributions. Can anyone comment on this?

Thursday, December 16, 2004

Thoughts on Tenable's Nessus Changes at SearchSecurity.com

Shawna McAlearney of SearchSecurity.com contacted me about recent Nessus developments, meaning Tenable's new licensing deal with NASL scripts. She quotes me in her story Nessus no longer free:

"'It is difficult to financially justify releasing the work of a corporate developer to the open source community when that developer is supported by thousands of dollars of equipment, salary and benefits,' said Richard Bejtlich, technical director for the Monitoring Operations Division of ManTech's Computer Forensics and Intrusion Analysis group. 'To do so is to provide free software development for one's less scrupulous competitors, who are only too happy to take but not give back.'"

Shawna and Tenable co-founder Ron Gula elaborate on this point, including naming companies who commercially profit from using Nessus.

Wednesday, December 15, 2004

Cisco Network Analysis Module

It pays to subscribe to trade magazines like Network Computing. Today I read Sean Doherty's Cisco Integrated Services Routers: When Routes Converge. Although his article was a useful introduction to two of Cisco's new products, he mentioned the Cisco Network Analysis Module. I had never heard of such a product. I should have, since Greg Shipley wrote about it in his 2002 article Cisco's Network Analysis Module Fills Monitoring Gap for Switched Networks. Greg's article, as well as Cisco's documents, are fascinating to those of us responsible for monitoring networks.

The device pictured above is the Cisco Catalyst 6500 Series NAM (NAM-1 and NAM-2), a blade for your Catalyst switch. Pictured at right is the Cisco Branch Routers Series Network Analysis Module (NM-NAM), a module for your Cisco router. The blade and module are embedded PCs that collect and present traffic and statistics on network operation. The picture shows the 20 GB HDD present in the module.

You can collect and analyze a wide variety of information via the embedded Web browser offered in the NAM. For example, the screen at left shows real-time packet capture of traffic through a Catalyst switch. I think this is absolutely incredible. As Greg reports, "using the NAM, administrators can select ports, Etherchannels or VLANs on the switch to monitor, and send data directly to the NAM blade for inspection. The NAM is unique because the monitored traffic moves directly onto the blade from the Catalyst backplane, is analyzed, and can then be viewed simply by using the embedded Web interface."

If anyone at Cisco is reading this, I would love to install a NM-NAM in my 2651XM router to test its functionality. This is just the sort of device that would make a great addition to my next book. If anyone uses these devices, please feel free to comment on them below.

Snort 2.3.0 RC2 Released

Jeremy Hewlett announced the availability of Snort 2.3.0 RC2. This comes about a month after the release of Snort 2.3.0 RC1. Check out the announcement or the CHANGELOG for specifics. Besides bug fixes, there are additional options added to byte_jump. I hope to see this information added to the manual once 2.3 final is released.

Tuesday, December 14, 2004

3Com Buys TippingPoint

The Register is reporting that 3Com is buying TippingPoint for $430 million. TippingPoint employs 125 people and makes the UnityOne layer 7 firewall... I mean "Intrusion Prevention System." This is huge, since The Register says TippingPoint "reported Q3 2005 revenues of $9.7m (up 44 per cent from $6.7m in Q2 2005) and a net loss of $1.8m for the three months up to October 31." $430 million is a huge multiple. Before I left Texas to join Foundstone in 2002, I was asked to interview at TippingPoint. It looks like their employees made out much better than Foundstone's!

IPxray Reports on Top Five Vulnerabilities

We all should be familiar with the SANS Top 20 Internet Security Vulnerabilities list, which Paul Vixie rightfully criticized for its inclusion of dated BIND vulnerablities. Now security firm IPxray has published its top 5 vulnerabilities found in our universe of scanned hosts. This was reported by SearchSecurity.com as well. I find these results useful because they are based on the findings of this security firm and reflect what's happening "in the trenches." Rather than repeat the five here, I recommend checking out the links.

Winfingerprint 0.6.0 Released

Kirby Kuehl, a Cisco engineer who provided great feedback on my first book, released version 0.6.0 of his Windows enumeration tool Winfingerprint. This tool is very comprehensive and features an exceptionally clean installation process. Note that although the Winfingerprint home page mentions inclusion of a command line version, Kirby is not currently bundling it with the latest release. Above is a screen shot of Winfingerprint running on a Windows Server 2003 eval with SP1 RC running.

Sun Thin Client Technology Upgrade

I learned about Sun's new thin client technology by reading a Register story by Ashlee Vance. Sun has released the new Sun Ray 170. This is like the new Apple iMac since it is essentially all screen.

To power the new Sun Ray, Sun released Sun Ray Server Software 3. The Sun Ray server can be UltraSPARC-based to run Solaris or it can be an x86 box running Sun's Java Desktop System, Release 2, Red Hat Enterprise Server AS 3 (32-bit), or SuSE Enterprise Linux 8, service pack 3 (32-bit).

According to Ashlee's article:

"Sun will also be looking to convince service providers to consider thin clients as options for their customers. The basic idea is that AOL, for example, could give consumers a thin client for free and then charge monthly fees for its 'computing' service. AOL would be able to manage consumers' software from its servers and provide a secure, simple package for people that really just want to surf the internet, check e-mail, message and do a bit of word processing. Consumers would receive a sleek device that runs quiet, and they wouldn't have to worry about hardware upgrades or their legs catching on fire."

This is a great idea and I think it is exactly where the industry needs to move. In a previous blog entry I imagined that AOL or Google might offer thin clients using live CDs. Sun is thinking even further, believing a company like AOL would rent hardware to users, not just give CDs. I have been talking to some Sun employees and hope to become more familiar with the new Sun Ray technology in the coming months.

Monday, December 13, 2004

Review of Embedded FreeBSD Cookbook Posted

Amazon.com just posted my four star review of Embedded FreeBSD Cookbook. From the review:

"When I skimmed 'Embedded FreeBSD Cookbook' (EFC) in the bookstore, I was impressed by the amount of general FreeBSD information it contained. Now that I've bought and read it, I'm glad this book caught my eye. Although EFC is somewhat dated by its use of FreeBSD 4.4 (released Sep 01), I learned more about about FreeBSD internals. I also gained insights into what is needed to create an embedded appliance from the ground up."

On a related note, I still need to check out the papers from EuroBSDCon 2004.

Sunday, December 12, 2004

Review of Inside the Spam Cartel Posted

Amazon.com just posted my five star review of Inside the Spam Cartel. From the review:

"Reading 'Inside the Spam Cartel' (ITSC) is like watching a racing car crash; you're horrified to see it happen, but you can't take your eyes off it. ITSC exposes spam from the point of view of the 'enemy' -- a spammer who claims 'you need to be ruthless in this industry if you want to make any money at it' (p. 132). This book is an absolute must-read for anyone trying to combat spam, especially policy makers who think passing laws with clever names makes any difference."

I loved that this book was written from the spammer's perspective. It's similar to the 1997 groundbreaking book Maximum Security, also written by an "anonymous" author bringing light to the underground.

Friday, December 10, 2004

NetBSD 2.0 Installation Issues

I wanted to install NetBSD 2.0 on a real system, so I called on one of the mightiest boxes in my arsenal to host a new installation. I picked a Dell-built 1996-era Pentium (original, not "Pro") 200 MHz with 32 MB RAM. This box was running Windows 98, and my father-in-law donated it to my collection when he bought a new system.

I had multiple problems with this box. First, it has a Sony CDU311 CD-ROM that refused to read the CD on which I had burnt NetBSD 2.0. I created boot floppies and did an FTP install. I missed a crucial part of the partition creation process, however, that caused the system to hang at "Mounting all filesystems..." after a reboot. If you look at the screenshot below, you'll see that NetBSD by default offers to host the "tmp" partition on a RAM disk:



By default the size is 0, meaning this "memory file system" (mfs) won't be created. However, I moved my cursor down to the "tmp" row and added a 1024 MB entry. I didn't stop and think that I should have created a real "/tmp" partition on the hard drive. When I rebooted, the system wasn't able to create a 1024 MB memory-resident "tmp" partition, so the system hung.

Before I fixed the problem, I was able to boot into single user mode with 'boot -s' at the boot loader. I then knew the problem involved the filesystems I had built. I reinstalled the system and created a "real" /tmp:


juneau: {2} cat /etc/fstab
/dev/wd0a / ffs rw 1 1
/dev/wd0b none swap sw 0 0
/dev/wd0e /usr ffs rw 1 2
/dev/wd0f /var ffs rw 1 2
/dev/wd0g /home ffs rw 1 2
/dev/wd0h /tmp ffs rw 1 2
kernfs /kern kernfs rw
procfs /proc procfs rw,noauto
juneau: {3} df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 497M 19M 453M 4% /
/dev/wd0f 2.5G 535K 2.3G 0% /var
/dev/wd0e 4.8G 153M 4.5G 3% /usr
/dev/wd0g 993M 8.0K 943M 0% /home
/dev/wd0h 249M 1.0K 237M 0% /tmp
kernfs 1.0K 1.0K 0B 100% /kern

I chose not to install the games or X distributions. Take a look at how much of the /usr partition is occupied -- 153 MB. That's what I call avoiding software bloat!

Now my monster NetBSD box is running like a champ. The only change I've made so far is enabling OpenSSH by adding this line to /etc/rc.conf:

sshd=YES

If you want to see dmesg output, visit NYCBUG.org/dmesgd. This is a good example of taking hardware that would otherwise go to the dump and making something useful out of it. I could turn this system into a low-volume mail, Web, or DNS server, for sure.

New "Must Read" Security Blog

One of my buddies who's still with Foundstone (now part of McAfee) has started a blog. Aaron Higbee of DCPhoneHome fame, along with some of his well-dressed friends, have begun sharing their knowledge and sense of style at secureme.blogspot.com. They are deep into the assessment side of security, so I'm sure you can pick up a few tricks by regularly visiting their site. I'm afraid these guys look nothing like their "pictures," however.

April 2004 Sys Admin NSM Article Online

I learned today that my April 2004 Sys Admin article Integrating the Network Security Model is now available online. I've also posted .pdf and .ps versions at my TaoSecurity.com publications page. From the article:

" Intrusion detection is a controversial topic. Although intrusion detection systems (IDS) were once hailed as the answer to the shortcomings of firewalls, they are now labeled "dead" by some market analysts and are threatened by intrusion prevention systems (IPS) and 'deep inspection' firewalls. In this article, I'll look at the detection and validation of intrusions through an operational model called network security monitoring (NSM). I will briefly explain NSM theory and introduce several tools for integrating NSM concepts into existing prevention and detection systems.

NSM is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is an operational model inspired by the United States Air Force's signals intelligence (SIGINT) collection methods and Todd Heberlein's 'Network Security Monitor' (ref AttackCenter.com). SIGINT is the collection of information on communications and the transformation of that information into intelligence products. Similarly, NSM collects and analyzes network traffic to identify and validate intrusions. NSM uses full content, statistical, session, and alert data to help analysts make decisions. Whereas intrusion detection cares more about identifying successful attacks, NSM provides evidence to gauge the extent of an intrusion, assess its impact, and guide effective remediation steps."

I am currently proofing an article for the February 2005 issue called "More Tools for Network Security Monitoring."

Thursday, December 09, 2004

NetBSD 2.0 Released

NetBSD 2.0 has been released! The last major release was NetBSD 1.6, in September 2002. The last update to the 1.6 branch was 1.6.2, in March 2004. I strongly recommend finding a mirror site close to you. There are even torrents available.

I've toyed with NetBSD before, but never in a serious manner. One aspect of the system I'm anxious to try is the well-documented NetBSD pkgsrc system. There is an excellent Web-based interface to the NetBSD packages at pkgsrc.netbsd.se. While there aren't as many NetBSD packages as there are FreeBSD ports (~5000 vs ~12000), the NetBSD system looks promising.

If you look in the iso directory of the NetBSD FTP servers, you will see .iso's like "i386cd.iso" and "i386live.iso". The prefix refers to the machine architecture and the suffix refers to the contents of the .iso. For example, I just downloaded and burned the i386cd.iso to CD-R, to test on my Intel 32-bit systems. It appears to be a minimal installation CD. This README indicates the i386live.iso is a live CD, such as you might find with FreeSBIE.

Thoughts on Future Microsoft Servers

Robert L. Mitchell reported Microsoft goes to pieces in a recent ComputerWorld article. The article is light on specifics, but the message is interesting:

"With the release of Longhorn in 2007, the company has said it will offer 'role-based' versions of Windows in which only the code needed to perform a given function will be included in a particular build of the operating system... Now, rather than simply selling task-specific editions of Windows, Microsoft may let systems administrators choose which core elements of Windows to include at installation."

As a security engineer, I think this is a great idea. Microsoft is already encouraging administrators to shut down unnecessary services via Windows Server 2003 SP1 RC's Service Configuration Wizard. Completely omitting unnecessary systems would be an even better idea. This is similar to a "minimal" FreeBSD installation. My guess is Microsoft will offer templates for mail, Web, database, and firewall servers. (A Windows-based firewall still confounds me!) In any case, I welcome this development if Microsoft indeed implements it.

On a related Microsoft note, I thought this description of DLL hell was very useful.

Pros and Cons of Outsourcing Security Tasks

Jian Zhen of LogLogic wrote two helpful articles for ComputerWorld. The first lists ten benefits of outsourcing security functions, and the second lists seven potential drawbacks. I largely agree with his analysis, particularly concerning the advantages of leveraging centralized security expertise.

A managed security service that does nothing but handle security issues all day long has a much higher level of security situational awareness than an overtasked administrator with multiple responsibilities. How is a general purpose administrator who has to deal with users, stop spam, recover backups, install patches, and maintain infrastructure going to know more about the latest types of attacks and defenses than a dedicated security professional?

Companies who can afford to maintain specialized security teams probably don't need to oursource these functions. A quick way to determine if a company probably doesn't need to outsource security tasks is to check to see if they are members of FIRST. (I almost had a heart attack when I saw that www.first.org was updated. One of the last vestiges of 1994-era HTML has fallen!)

These articles follow a helpful one by Bill Brenner from August 2004, Firms to seek more security help from outsiders. He reports "Unable to keep up with security holes, attacks and government regulations, enterprises will turn to outside firms for 90% of their security by 2010, according to Yankee Group."

Wednesday, December 08, 2004

I subscribe to Sys Admin magazine because it offers excellent articles. One that is available online is Bryan Smith's Dissecting PC Server Performance. He explains the major bottleneck issues in traditional CPU architecture and how the AMD Opteron is an improvement. I found the article highly technical yet readable and enlightening. This is a must-read before you buy your next high-load server.

Nessus Developments

Recently I reviewed the new Syngress Nessus book, after installing Nessus 2.2 using the security/nessus FreeBSD port. Yesterday Tenable Network Security relaunched the Nessus home page. The author of the Nessus vulnerability scanner is Renaud Deraison, who co-founded Tenable and currently serves as Chief Research Officer there. Tenable formally supports the development of Nessus.

Along with a sharp new Web design and the release of Nessus 2.2.1, the site announced a new policy on plug-ins. Plug-ins are code written in the Nessus Attack Scripting Language (NASL) which perform vulnerability checks. Tenable is offering three feeds for Nessus plug-ins:

  • The Direct Feed "is commercially available [and] entitles subscribers to the latest vulnerability checks," immediately. It costs $1200 per scanner per year.

  • The Registered Feed "is available for free to the general public, but new plugins are added seven days after they are added to the Direct Feed." Registration and conformance with the plug-in license is required.

  • The GPL Feed "does not require registration, and includes plugins written by the user community. As manager of the Nessus project, Tenable continues to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and Public feeds at the same time."


The last feed description mentioned NeWT, which is a Windows-based Nessus server. NeWT is available free of charge, but users can only scan their local subnet. NeWT Pro is a commercial product without limitations. The original Nessus UNIX server remains open source. Tenable also sells the NeVO passive vulnerability monitor, the Lightning ESM console, and the Thunder secure log aggregation and analysis product.
I have no problem with this new arrangement. Tenable offers two core Nessus products. First, there is the vulnerability scanning engine, which has several flavors. Tenable is paying for core developers to maintain and improve the original Nessus UNIX server and clients. They are selling a commercial version that runs on Windows, and offer for free a subnet-limited version that runs on Windows as well. The second product are NASL scripts. Tenable pays full-time salaries for developers to create these scripts.

Consider an alternative approach taken by a similar industry: anti-virus vendors. A company like Symantec sells both its scanning engine and signatures in closed-source form. They do this because the manpower required to create both products is considerable.

Tenable is still making a completely workable Nessus solution (UNIX Nessus server, clients, and signatures) available in open source form. The only change is that NASL scripts developed in-house by Tenable will be available to non-paying users seven days after paying customers receive them. If the NASL scripts developed by the open source community and released under the GPL are so much better than those Tenable creates, those NASL scripts will be immediately available. I would be surprised to see community-developed scripts surpass Tenable's however.
Sourcefire is a company in a similar situation. They and founder Marty Roesch were just featured in a Business Week article. Sourcefire pays developers to work on Snort and its signatures. Sourcefire then sells hardware appliances running Snort, along with an enterprise administration console. Sourcefire's greatest value lies in its RNA product, which provides context for its sensor.

I am surprised Sourcefire makes its signatures available free-of-charge. I would have no problem seeing them adopt a strategy similar to Tenable's. You can judge the effectiveness of one aspect of the open source community's Snort rule creation process by trying the signatures at BleedingSnort.com.

SpecialOpsSecurity.com Ready to Deploy

My buddy Erik Birkholz, fellow ex-Foundstone consultant and author of Special Ops, appears to be shifting more resources to his consultancy, Special Ops Security. I found his company's service datasheet (.pdf) offers several novel services. For example, SOS provides "Pre-Sales Engineers and Deployment Services" and "Security Sales Consultants." They act as hired technical guns, bridging the gap between account executives and customers or sales people and customers. I think this is an excellent resource for clients who need to know the "real deal" about security. To get a sense of the company's technical skills, I recommend perusing their presentation Show and Tell: Attacks and Defense (.pdf).

Tuesday, December 07, 2004

Thoughts on Windows Server 2003 SP1 RC

Microsoft announced that Windows Server 2003 Service Pack 1 Release Candidate is available for testing on non-production servers. I installed it remotely using Rdesktop on a 180 day evaluation copy of Windows Server 2003 with hotfixes installed. The whole process went smoothly, and after a reboot I was still able to connect via Rdesktop and PsExec.

Microsoft published Top 10 Reasons to Install Windows Server 2003 SP1, which I found interesting reading. The majority of the reasons sound helpful. Point one is especially revealing. Microsoft now recommends "reducing the attack surface," which is code for disabling unnecessary services via the "Security Configuration Wizard" (SCW). Microsoft says "With SCW you can disable unused services easily and quickly, block unnecessary ports, modify registry values, and configure audit settings." I heartily endorse this and many other changes.

Points nine (Help secure Internet Explorer) and ten (Avoid potentially unsafe e-mail) indicate there are still problems with the way Microsoft approaches system administration. A fundamental tenet of good system administration is to avoid browsing the Web or reading external email on production servers. In some ways this has not been a problem for UNIX administrators who do not install X on their servers. They could use Lynx and Mutt in a text environment, but on servers they tend not to casually surf the Web or read email using either tool. Even if they do, there have been orders of magnitude fewer attacks against text-based Web and email clients -- and what general attacker targets such programs?

Some (such as Macintosh devotees) believe the GUI was one of the great advancements in personal computing. I agree as far as personal computing goes, but I believe the GUI should stay on the PC and away from servers. A GUI invites trouble when it wrongly empowers administrators to use powerful and potentially exploitable Web and email clients. Suddenly a user with administrator privileges can be hit by client-side attacks. The best way to avoid such a situation is to not allow Web or email clients to run on servers, not simply improve the security of such programs. I have seen Microsoft encourage users not to do so, but I do not see Windows administrators breaking this mind-set any time soon.

The GUI is an example of a feature that is not really needed to provide services to clients. What client needs a server-side GUI to offer Web pages, carry email, or serve SQL queries? If a Windows system could be installed without a GUI, we might see less successful exploitation of Windows systems. Microsoft is taking a step in the right direction by providing tools to limit the services activate on its systems. I would like to see Windows machines install no listening services by default, except for an OpenSSH-like remote administration client. Then, using a wizard, administrators could add in the services they believe they need.

It would also be helpful for Microsoft servers to offer individual services on specific ports, and not group everything under the sun on a few well-known ports. An administrator who can look at a port listing and know the meaning of seeing port X and Y, but not Z, is an empowered administrator. Individual services on specific ports simplifies network-based access control and identification of rogue services.

Dru Lavigne on Upgrading FreeBSD

img src="http://3.bp.blogspot.com/-DdMdSzaSZnE/T7wBim82oNI/AAAAAAAAClg/P6zno5QrgoU/s1600/freebsd.png" align=left>Dru Lavigne's latest Blog entry explains her experiences upgrading two systems to FreeBSD 5.3. Her article nicely complements my Keeping FreeBSD Up-To-Date. Over 7,000 of you appear to have already read it. I've made a few tweaks recently, including changing the CVS tag for the FreeBSD 5.3 RELEASE to 5_3_0_RELEASE, plus misspellings and relating typos.

Sguil 0.5.3 Released

Sguil 0.5.3, the analyst console for Network Security Monitoring, is now available. Updated screenshots are also posted. I'll be tweaking my install guide to reflect the version bump, but the content won't change. I wrote the latest version using a CVS version of Sguil, so it has the same capabilities as 0.5.3.

You can read Bamm's release announcement and CHANGES for more information. If you have any questions, join us in #snort-gui at irc.freenode.net. A chapter from my book devoted to Sguil is online.

Monday, December 06, 2004

Enabling DRI on FreeBSD

Last February I wrote of my adventures enabling DRI on my laptop.

I already had a few tweaks to my /boot/loader.conf to get sound and AGP working:

snd_csa_load="YES"
r128_load="YES"

Using kldstat, I could see what kernel modules were loaded:

orr:/home/richard$ kldstat
Id Refs Address Size Name
1 12 0xc0400000 5cdb30 kernel
2 2 0xc09ce000 7464 snd_csa.ko
3 3 0xc09d6000 1d4fc sound.ko
4 1 0xc09f4000 1520c r128.ko
5 14 0xc0a0a000 537f0 acpi.ko
6 1 0xc1a97000 17000 linux.ko

When I installed FreeBSD 5.3 RELEASE I was not able to get DRI working when I simply uncommented it in my xorg.conf file:

# This loads the GLX module
Load "glx"
# This loads the DRI module
# Load "dri"

When I did uncomment the dri module, I saw a green bar appear at the top of my X display, and the system locked. Without DRI, a test with glxgears showed poor performance:

orr:/home/richard$ glxgears -info
GL_RENDERER = Mesa GLX Indirect
GL_VERSION = 1.2 (1.4 Mesa 5.0.2)
GL_VENDOR = Mesa project: www.mesa3d.org
...edited...
444 frames in 5.0 seconds = 88.800 FPS
440 frames in 5.0 seconds = 88.000 FPS

My /var/log/Xorg.0.log file showed no mention of DRI or DRM.

Inspired by this freebsd-stable thread, I installed graphics/dri via package:

# pkg_add -vr dri
...edited...
requesting ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/
packages-5.3-release/Latest/dri.tbz
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/
packages-5.3-release/Latest/dri.tbz...x +CONTENTS
x +COMMENT
x +DESC
x +MTREE_DIRS
x lib/modules/dri/gamma_dri.so
x lib/modules/dri/i810_dri.so
x lib/modules/dri/i830_dri.so
x lib/modules/dri/mga_dri.so
x lib/modules/dri/r128_dri.so
x lib/modules/dri/r200_dri.so
x lib/modules/dri/radeon_dri.so
x lib/modules/dri/sis_dri.so
x lib/modules/dri/tdfx_dri.so
tar command returns 0 status
Done.
...truncated...

I was pleased to see the r128_dri.so, since that is what my graphics card uses.

I uncommented the 'dri' entry from my xorg.conf file and restarted X. My /var/log/Xorg.0.log file now mentioned DRI and DRM:

(II) Loading extension XFree86-DRI
(II) LoadModule: "r128"
(II) Loading /usr/X11R6/lib/modules/drivers/r128_drv.o
(II) Module r128: vendor="X.Org Foundation"
compiled for 6.7.0, module version = 4.0.1
Module class: X.Org Video Driver
ABI class: X.Org Video Driver, version 0.7
...edited...
(II) R128(0): [drm] installed DRM signal handler
(II) R128(0): [DRI] installation complete
(II) R128(0): [drm] Added 128 16384 byte vertex/indirect buffers
(II) R128(0): [drm] Mapped 128 vertex/indirect buffers
(II) R128(0): [drm] dma control initialized, using IRQ 11
(II) R128(0): Direct rendering enabled

I found much better performance with glxgears:

orr:/home/richard$ glxgears -info
GL_RENDERER = Mesa DRI Rage 128 Mobility 20030328 AGP 1x x86/MMX/SSE
GL_VERSION = 1.2 Mesa 5.0.2
GL_VENDOR = VA Linux Systems, Inc.
...edited...
4737 frames in 5.0 seconds = 947.400 FPS
7280 frames in 5.0 seconds = 1456.000 FPS
7338 frames in 5.0 seconds = 1467.600 FPS
7207 frames in 5.0 seconds = 1441.400 FPS

I am glad this worked.

Update: I spoke too soon. I suspend my laptop using 'acpiconf -s 3'. When I return from sleeping, the X display is garbled. I've gone back to disabling DRI. I don't intend to work on this any further until X11R6.8.1 is released for FreeBSD. If the problem persists, I'll pursue troubleshooting it. I see others have problems too.

FreeSBIE 1.1 Released

I was happy to see that FreeSBIE 1.1 was released today. FreeSBIE is a live CD version of FreeBSD. Version 1.1 offers FreeBSD 5.3 RELEASE as the underlying OS. If you've used Knoppix to get familiar with Linux in a live CD environment, you should give FreeSBIE a try.

New for this version are the release announcement, a manual, and the list of packages installed on the live CD.

Sunday, December 05, 2004

Review of Nessus Network Auditing Posted

Amazon.com just posted my four star review of Nessus Network Auditing. It's been almost three months since my last book review. I hope to get several more done before the end of the year. It's tough when, as a reviewer, I actually try to read the books I critique. From my review:

"'Nessus Network Auditing' (NNA) is the definitive (and only) guide to the Nessus open source vulnerability assessment tool. I recommend all security professionals read this book. You may start as a Nessus user, but the book will help you become part of the Nessus community.

NNA features twelve contributors, but it doesn't suffer the fate of other books with similar high author counts. NNA manages to present fairly original material in each chapter, without a lot of overlap. I credit the lead authors and editors for keeping the contributors on track. They could have reduced the number of crashing printer stories, however. "

OpenBSD 3.6 on Soekris Net4801

In June I described a way to install OpenBSD 3.5 on a Soekris Net4801 small form factor system. I followed a similar method today with OpenBSD 3.6, installing from floppy to 2.5 inch HDD on one laptop and then moving the HDD to the Soekris.

I had two problems. The first involved not being able to use dd to write the OpenBSD floppy image to the floppy drive. I used this syntax:

orr:/root# dd if=floppyC36.fs of=/dev/fd0

At one point I got errors from dd. Later I saw these error messages from the kernel:

fdc0: ready for input in output
...repeats...
fdc0: ready for input in output
fdc0: too many errors, not logging any more

I was able to use the same syntax on a FreeBSD 4.10 box to create the boot floppy. I booted with the OpenBSD boot floppy and installed OpenBSD 3.6 on the laptop. When I moved the laptop HDD to the Soekris, I got this error via serial console as OpenBSD tried to boot:

booting hd0a:?1;2c: open hd0a:?1;2c: No such file or directory
failed(2). will try /obsd
boot>

I tried a generic 'boot' command next:

boot> boot
booting hd0a:/obsd: open hd0a:/obsd: No such file or directory
failed(2). will try /bsd.old

No joy. Then I remembered OpenBSD usually sees HDDs as device wd, so I tried this:

boot> boot wd0a:/bsd
booting wd0a:/bsd: 4918204+859636 [52+230528+209187]=0x5ee0fc
entry point at 0x100120

[ using 440140 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2004 OpenBSD. All rights reserved. http://www.OpenBSD.org

OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 586-class)
267 MHz
...edited...
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 3102MB, 6354432 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
geodesc0 at pci0 dev 18 function 5 "NS SC1100 X-Bus" rev 0x00: iid 6 revision 3
wdstatus 0
...edited...
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
Automatic boot in progress: starting file system checks.
/dev/rwd0a: file system is clean; not checking
/dev/rwd0e: file system is clean; not checking
/dev/rwd0d: file system is clean; not checking
/dev/rwd0f: file system is clean; not checking
...truncated...

Booting from drive wd0a worked. I pondered having to repeat this process the next time I booted the system. However, after a reboot, I did not have to pass any parameters to the boot loader:

boot>
booting hd0a:/bsd: 4918204+859636 [52+230528+209187]=0x5ee0fc
entry point at 0x100120

[ using 440140 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2004 OpenBSD. All rights reserved. http://www.OpenBSD.org

OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
...truncated...

This second boot shows OpenBSD apparently booting from hd0a, which failed the first time. I don't know why this worked. I didn't have this issue with 3.5. I intend to turn this Soekris system into a firewall. For full dmesg output, see my new entry at NYCBUG.org.

Friday, December 03, 2004

Dru Lavigne Chimes in on "Why Bother?"

FreeBSD author and advocate Dru Lavigne has responded to PHK's "Why Bother?" article. While citing my previous Blog entry on the subject, she made me aware of a freebsd-chat thread discussing project goals. Two users (Chris Pressey and Paul Robinson) asked questions about goals that are similar to my earlier Blog entry. Chris ended up being attacked once he mentioned the "number of backouts and backout requests" to cvs-src as a metric for "the amount of floundering a project is undergoing." This is a shame, because the original project goal question remains unanswered.

Thursday, December 02, 2004

TaoSecurity Blog Under Construction

I'm experimenting with adding a comments feature to the blog. The easiest way to do that was to use a new template. You may see additional changes. Also, links which were previously in this format

http://taosecurity.blogspot.com/2004_11_01_taosecurity_archive.html#110129970708337670

now take this format

http://taosecurity.blogspot.com/2004/11/using-portsnap-to-update-freebsd-ports.html

The old format appears to still work, however.

Wednesday, December 01, 2004

TaoSecurity.com Exclusive: Keeping FreeBSD Up-To-Date

I am happy to announce the publication at TaoSecurity.com of Keeping FreeBSD Up-To-Date. I wrote this article to answer questions I've received over the past few months on how to apply security fixes to a FreeBSD system. While the official Handbook is excellent, I thought a case-study approach would be enlightening for some readers.

I thought it would be interesting to see a box begin life as FreeBSD 5.2.1 RELEASE, and then progress through a variety of security fixes applied in different ways. The article's sections include:

  • Introduction

  • FreeBSD Versions

  • Learning About Security Issues

  • Starting with the Installation

  • Binary OS and Userland Updates with FreeBSD Update

  • Applying Kernel Patches Manually

  • Applying Userland Patches Manually, Part 1

  • Applying Userland Patches Manually, Part 2

  • CVSup to 5_2 Security Branch

  • Beyond the Security Branch

  • STABLE: The End of the Line

  • The "Next" STABLE

  • Conclusion

  • Acknowledgements

  • References


Sections show commands to run, explanations of what they do, sample output, uname versions, and pros and cons of each upgrade method. Please send feedback to taosecurity at gmail dot com.

I do not discussing optimizing the kernel, although this site does.