mod_security rule for e107 ‘plugindir’ and ‘ifile’ remote include vulnerability

Here are modsecurity2 rules for the latest string of vulnerabilities affecting the E107 CMS system described in the following links:

http://www.exploit-db.com/exploits/12818/
http://www.exploit-db.com/exploits/12715/

SecRule ARGS:THEMES_DIRECTORY "^http" "t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied e107 vulnerability'"
SecRule ARGS:ifile "^http" "t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied e107 vulnerability'"
SecRule ARGS:plugindir "^http" "t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied e107 vulnerability'"
SecRule ARGS:author_name "\[php\]" "t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied e107 vulnerability'"

Remotely installing PFSense to hard drive with VGA and without CD-ROM

FreeBSD is great for certain tasks (such as firewalls and other embedded devices), but has some real shortcomings when it comes to booting from attached or remote storage. This severely complicates the installation process in some cases.

In my case, I have a remote server in a rack with no CD-ROM. Pulling the server from the rack and plugging in an IDE/SATA CD-ROM is not an option, as there is no physical access at the current moment (I’m about 90 miles away on travel). So far the following methods of getting FreeBSD / PFSense installed have failed miserably:

1. Boot CD-ROM ISO over PXE (current memdisk). Negative.

2. Boot CD-ROM ISO from USB CD-ROM. Negative.

3. Boot CD-ROM ISO from virtual storage (IPMI CD-ROM). Negative.

OK, so it’s 2010 and FreeBSD can’t boot from anything other than a plain old IDE/PATA CD-ROM (which isn’t an option). Seriously, WTF?

So back to the drawing board. Let’s try some other more or less obvious options:

4. Burn PFSense embedded image directly to hard drive using the same instructions for CF memory. Negative. I even watched the serial console through IPMI – nothing.

5. Boot embedded image from network (memdisk). Negative.

All five of these methods have failed.


Time to use brute force, and if this doesn’t work I am banning FreeBSD from my life.

Yank HDD from laptop, throw in a spare, and boot the CD-ROM on the laptop.

Proceed to install PFSense.

Boot into Linux (or FreeBSD, doesn’t matter) rescue mode CD with network connectivity.

Copy the HDD image off to a remote site:

Remote machine (intermediary storage server, in this case my mirror box):

nc -l -p 2222 | dd of=pfsense.img.gz

Local machine (laptop):

dd if=/dev/sda conv=sync,noerror bs=64K | gzip -c -9  | nc mirror.ash.fastserv.com -p 2222

Once you’ve got the image, it’s time to boot the target PFSense machine into the same Linux/FreeBSD rescue mode and copy the image to the HDD. In the previous step, my working directory was the /pub folder on a public HTTP mirror. This allows me to burn the image directly over HTTP in the following step:

wget -O- http://mirror.ash.fastserv.com/pub/pfsense.img.gz | gzip -cd | dd of=/dev/sda

Much to my surprise, this actually worked! The saving grace for FreeBSD/PFSense, is that it’s able to be installed on one machine, then booted on another. Now on to learning how to use PFSense and configuring firewall rules.

If you want a copy of the HDD image to save you over half of this hassle, you can find it HERE. It was created with an 80Gb HDD so you’ll need at least an 80Gb disk for this to work. Good luck, you’ll probably need it.

Arbitrary MIME support for aacplus streaming with libshout and perl bindings

If you want to be able to support alternative stream types (such as AACplus) using libshout-2.2.2, you’ll need a patch to add a ‘mime’ method. You can then manually set the mime-type for arbitrary stream types. I also included a minor change which sends ‘content-type’ headers to Shoutcast/ICY stream servers, which is required for Shoutcast server support of AACplus streams:

libshout-2.2.2 patch

Additionally, if you’re streaming through Perl, the Perl bindings (Shout-2.1) will also have to be patched similarly both for mime support and for support of the ‘send-raw’ method which is required for non-mp3/ogg streaming. For some reason, send-raw was left out:

Shout-2.1 patch

Decrypting a SSL Server Key for importing into Cpanel

In case someone accidentally encrypts a server key (e.g. not following directions) then expects it to be accepted in to Cpanel, you’ll need to decrypt it first.

Most web hosting platforms (like Cpanel) need the server key to be in clear text. The private key can be decrypted with:

 openssl rsa -in encrypted.pem -out plaintext.key 

Make sure whomever encrypted the key provides you with the pass phrase.

Categories: Linux and Technical. Comments Off on Decrypting a SSL Server Key for importing into Cpanel

Automatically purge old voicemail on Asterisk/FreePBX/Trixbox

Run this nifty Perl script daily or weekly via cron. This will keep your voicemail from overflowing and unknowingly rejecting new voicemail.

#!/usr/bin/perl
#
# Script to expire voicemail after a specified number of days
# by Steve Creel
#

# Directory housing the voicemail spool for asterisk
$dir = "/var/spool/asterisk/voicemail";

# Context for which the script should be running
$context = "default";

# Age (Delete files older than $age days old)
$age = 31;

# Age for unheard messages (Defaults to same age for all messages)
# Set to 0 to not delete unheard messages
$unheardage = $age;

# Delete all files older than $age and $unheardage
# (named msg????.??? to get the audio and txt files,
# but we don't delete greetings or the user's name)

if($age==$unheardage) {

# Save time by doing one find if we're treating everything the same
system('find '.$dir.'/'.$context.' -name msg????.??? -mtime +'.$age.' -exec rm {} \; -exec echo Deleted {} \;');

} else {

# Find everything not in a folder called 'INBOX' and delete it after $age days
system('find '.$dir.'/'.$context.' -path \'*INBOX*\' -prune -o -name msg????.??? -mtime +'.$age.' -exec rm {} \; -exec echo Deleted {} \;');

# If unheardage is set to 0, we won't delete any unheard messages
if($unheardage > 0) {

# Delete things that are in a folder called INBOX after $unheardage days
system('find '.$dir.'/'.$context.' -path \'*INBOX*\' -name msg????.??? -mtime +'.$unheardage.' -exec rm {} \; -exec echo Deleted {} \;');

}
}

# For testing - what number to we start when we renumber?
$start = "0";

# Rename to msg and a 4 digit number, 0 padded.
$fnbase = sprintf "msg%04d", $start;

# Make $dir include the context too
$dir.="/".$context;

mod_security rule for Joomla com_properties [aid] vulnerability

Here’s a mod_security2 rule to block the latest SQL injection vulnerability in a popular Joomla module ‘com_properties’ dated 4/10/2010:

SecRule ARGS:option "com_properties" "phase:1,chain,drop,t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied Joomla Component com_properties[aid] SQL Injection Vulnerability'"
SecRule ARGS:aid "\D"

Don’t expect this to be a substitute for updating your vulnerable code, but it will at least buy you and your clients time.

It never ceases to amaze me how incredibly careless PHP programmers are:

http://www.exploit-db.com/exploits/12136

Windows Vista / Windows 7 / Server 2008 R2: 0xc0000225 after resizing partition or restoring backup

So I needed to shrink a C: partition of a Windows 7 (Server 2008 R2) machine.  After shrinking with Gparted (my open-source partitioning tool of choice), Windows no longer booted, with the boot manager complaining of 0xc0000225 (awesome error message as usual, Microsoft).

To get things working again, it was necessary to execute the following BCDedit.exe commands from a rescue disk (WinPE worked fine for me):

bcdedit /set {bootmgr} device boot
bcdedit /set {default} device boot
bcdedit /set {default} osdevice boot

After that, life is again normal.

Sometimes you might need to completely reinstall the MBR — for example, you restored only the c:\ partition from backup to a new already-partitioned disk, but did not restore the original partition table and MBR. This can be accomplished as following:

bootsect /nt60 SYS /mbr

In some cases, you may also need to make sure the boot partition is flagged ‘bootable’ or any of the above commands fail. To correct it:

DISKPART (to open the partition utility)
LIST DISK (disk number(s) will be shown)
SELECT DISK n (where n is the number of the disk - probably 0)
LIST PARTITION (partition number(s) will be shown)
SELECT PARTITION n (where n is the number of the Primary partition you wish to make Active)
ACTIVE (the selected partition on the selected disk will be made Active)

Installing RED5 Server on CentOS

First, download, extract and install:

mkdir /usr/local/red5; cd /usr/local/red5
wget http://www.red5.org/downloads/0_8/red5-0.8.0.tar.gz
tar -zxf red5-0.8.0.tar.gz

Install JAVA:

wget -O java.rpm.bin http://javadl.sun.com/webapps/download/AutoDL?BundleId=38657
chmod 755 java.rpm.bin; ./java.rpm.bin

Open new init script:

nano -w /etc/init.d/red5

Paste into init script:

#!/bin/sh
# For RedHat and cousins:
# chkconfig: 2345 85 85
# description: Red5 flash streaming server
# processname: red5

PROG=red5
RED5_HOME=/usr/local/red5
DAEMON=$RED5_HOME/$PROG.sh
PIDFILE=/var/run/$PROG.pid

# Source function library
. /etc/rc.d/init.d/functions

[ -r /etc/sysconfig/red5 ] && . /etc/sysconfig/red5

RETVAL=0

case "$1" in
start)
echo -n $"Starting $PROG: "
cd $RED5_HOME
$DAEMON >/dev/null 2>/dev/null &
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo $! > $PIDFILE
touch /var/lock/subsys/$PROG

fi
[ $RETVAL -eq 0 ] && success $"$PROG startup" || failure $"$PROG startup"
echo
;;
stop)
echo -n $"Shutting down $PROG: "
killproc -p $PIDFILE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$PROG
;;
restart)
$0 stop
$0 start
;;
status)
status $PROG -p $PIDFILE
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
RETVAL=1
esac

exit $RETVAL

Activate init script:

chmod 755 /etc/init.d/red5
chkconfig red5 --add
chkconfig red5 on

Update settings which are located at:

/usr/local/red5/conf/*

Run it:

/etc/init.d/red5 start

hostapd init script for Redhat/CentOS

Hostapd is a software daemon that turns a Linux box into a full blown wireless access point, but it doesn’t come with an init script to automatically start it when the machine boots up. It seems each Linux distribution that supports hostapd does their own thing, so I went ahead and created this little init script to cleanly start/stop hostapd on a CentOS/Redhat box.

#!/bin/sh
#
# start/stop the hostapd server
#
# chkconfig: 2345 99 10
# description: hostap daemon
# processname: hostapd
# config: /etc/hostapd.conf
# pidfile: /var/run/hostapd.pid
#
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin
export PATH

# Source function library.
. /etc/rc.d/init.d/functions

stop()
{
 echo -n "Stopping hostapd daemon: "
        killproc hostapd
        echo
        rm -f /var/lock/subsys/hostapd

}

start()
{
        echo -n "Starting hostapd daemon: "
        daemon /usr/local/bin/hostapd /etc/hostapd.conf -P /var/run/hostapd.pid -B
        echo
        touch /var/lock/subsys/hostapd
}

# See how we were called.
case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    status)
        status hostapd
        ;;
    restart)
        stop
        start
        ;;
    *)
        echo "Usage: hostapd {start|stop|status|restart}"
        exit 1
esac

exit 0

You can check out hostapd here:
http://hostap.epitest.fi/hostapd/

I really do think this is the same software many consumer-grade routers are running.