Categories
Security & Compliance System Administration

Connecting to legacy servers with OpenSSH

Phasing out legacy cryptographic algorithms can always be an interesting endeavor as terminating to early breaks stuff and to late it can lead to a compromise. OpenSSH disabled DSA with version 7.0 in March 2015 as 5 years earlier it was discovered that DSA was compromised and labelled as insecure. Normally this shouldn’t be a problem with a normal software life cycle, but sometimes you will encounter a legacy box that will not be upgraded as it will break things. Now it will stop new connections being setup from upgraded to machines as with SSH.

$ ssh user@server.example.org Unable to negotiate with server.example.org port 22: no matching host key type found. Their offer: ssh-dss

For an incidental connection from the command line the algorithm can be enabled again to connect with a legacy machine.

$ ssh -o HostKeyAlgorithms=+ssh-dss user@server.example.org

For automated processed or when scripts can’t be modified a setting for OpenSSH can also be set in $HOME/.ssh/config for the account depending on this option to be set.

Host server.example.org
  HostKeyAlgorithms=+ssh-dss

Re-enabling broken algorithms like DSA should only be done for a limited time and scope. In a lot of commercial environments these algorithms aren’t allowed to be enabled again. Also in most cases the code to run these obsolete algorithms can be removed in a later version as already is the case with SSL 3.0 and earlier for example.

Categories
Security & Compliance

WhatsApp put an emoji their URL

Emoji characters already appeared in DNS, but now also in an URL. And Google shows them perfectly what makes me wonder if all parts of their codebase are ready to handle this correctly or that it is an incident.

So the big question is when marketeers and/or criminals start to use this to trick people into clicking on links. Also, how do other systems like CRM are going to handle this correctly?

Categories
Security & Compliance System Administration

Emoji in URLs are probably a bad idea…

On the dns-operations mailing list, there were already discussions about parties who bought domains like ?.com (xn--e5h.com), but the following is also an interesting development.

When will we find pages with “special” Web Open Fonts and that become active when you press Ctrl-Shift?

Categories
Security & Compliance Software Development

Is CWE-525 still relevant?

During a code upgrade for a web application from Symfony 2.8 to 3.3 it also became time to do some basic tests with Zed Attack Proxy. While most findings were logical and easy to fix, but one was different and it started with the finding below.

Description:
The AUTOCOMPLETE attribute is not disabled on an HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.
Solution:
Turn off the AUTOCOMPLETE attribute in forms or individual input elements containing password inputs by using AUTOCOMPLETE=’OFF’.

Included was the reference to CWE-525 that describes the risk and how to fix it. It leads back to the login section described in a Twig template file as below not having the proper attributes set on the form and/or input element.

<form class="navbar-form navbar-right" action="{{ path('login') }}" method="post">
    <div class="form-group">
        <input type="text" id="username" name="_username" placeholder="Email" class="form-control">
    </div>
    <div class="form-group">
        <input type="password" id="password" name="_password" placeholder="Password" class="form-control">
    </div>
    <button type="submit" class="btn btn-success">Sign in</button>
</form>

Mozilla Developer Network has an article about turning off form autocomplete for sensitive fields that browsers shouldn’t cache. Storing credit card data for example isn’t a good idea unless it is in a secured storage area. Updating the template file to contain right attributes and ZAP doesn’t complain anymore as we tell the browser not to store the password field.

<form class="navbar-form navbar-right" action="{{ path('login') }}" method="post">
    <div class="form-group">
        <input type="text" id="username" name="_username" placeholder="Email" class="form-control">
    </div>
    <div class="form-group">
        <input type="password" id="password" name="_password" placeholder="Password" class="form-control" autocomplete="off">
    </div>
    <button type="submit" class="btn btn-success">Sign in</button>
</form>

The story doesn’t end by adding the right attributes to resolve the finding, because browser makers have moved on as the attribute is being ignored for input elements of the type password for example. This as the benefit of having people store a secure password in password manager has a better risk score than people remembering and (re)using weak passwords. With this is mind we basically fixed a false positive to make the audit finding green.

For this reason, many modern browsers do not support autocomplete=”off” for login fields:

  • If a site sets autocomplete=”off” for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.
  • If a site sets autocomplete=”off” for username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

Here comes the problem as ZAP generates a finding that a developer has to spend time on as he needs to investigate and then has to implement a solution or explain why it isn’t worth fixing. Security scanners are handy for detecting low hanging fruit, but they shouldn’t become a time-waster with outdated rules as developers will start ignoring findings or let findings slowly starve on their backlog.

Categories
Security & Compliance System Administration

Kali Linux 2016.2

Last week Kali Linux 2016.2 was released so it was time to make a new VirtualBox instance for it to see the difference from the release in January. But let’s automate a little bit to quickly rebuild virtual machines for Kali Linux.

$ cd ~/Downloads
$ wget http://cdimage.kali.org/kali-2016.2/kali-linux-2016.2-amd64.iso

Let’s create the virtual machine and boot it. In this example it is bound to the wireless network card and allocates an 16 GB disk image as the default 8 GB size for Debian is too small and 10 GB is the minimum advised.

$ export VM="Kali Linux 2016.2"
$ VBoxManage createhd --filename "$HOME/VirtualBox VMs/$VM/$VM.vdi" --size 16384
$ VBoxManage createvm --name "$VM" --ostype "Debian_64" --register
$ VBoxManage storagectl "$VM" --name "SATA Controller" --add sata --controller IntelAHCI
$ VBoxManage storageattach "$VM" --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium "$HOME/VirtualBox VMs/$VM/$VM.vdi"
$ VBoxManage storagectl "$VM" --name "IDE Controller" --add ide
$ VBoxManage storageattach "$VM" --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium $HOME/Downloads/kali-linux-2016.2-amd64.iso
$ VBoxManage modifyvm "$VM" --ioapic on
$ VBoxManage modifyvm "$VM" --boot1 dvd --boot2 disk --boot3 none --boot4 none
$ VBoxManage modifyvm "$VM" --memory 1024 --vram 128
$ VBoxManage modifyvm "$VM" --nic1 bridged --bridgeadapter1 wlp1s0
$ VBoxManage startvm "$VM

After the installation is completed and the machine is powered down it is safe to remove the virtual DVD and create a snapshot to always quickly return to.

$ VBoxManage storageattach "$VM" --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium none
$ VBoxManage snapshot "$VM" take "Snapshot 1"

I can now continue to prepare for the Offensive Security Certified Professional (OSCP) training. Hopefully I can also join the CTF organized by Platform voor Informatie Beveiliging.