lundi 15 février 2016

How to fix the latest 0-day flaw of Linux and Android

How to fix the latest 0-day flaw of Linux and Android



The Israeli company specializing in security, Perception Point, disclosed a vulnerability in Linux and Android. The company describes this as a zero-day "vulnerability of local elevation of privileges in the Linux kernel." This is actually what it is, but that's not the whole story.


What Perception point did not say is that after the discovery of the fault, their discovery (CVE-2016-0728) was sent upstream for correction to the Linux kernel developers. The only reasonto be called a "zero-day" was because Perception Point has provided a feat when the patch was already under development.

0-day

Why did they do this?

It is to promote companies which nobody heard. In this way, they make the headlines and we inherit the security headaches "commented a Linux security developer.
This, according to another programmer working on solving the problem is far from an isolated case. "Security companies are still a big story of small problems for their own benefit."

In this case, the vulnerability could exploit the keyring Linux, a feature used to cache different types of safety-related data such as encryption keys. Problems arise when the field used to store the name of an object is exploited to cause a buffer overflow. An attacker is able to overwrite memory and cause a privilege escalation exploit in. In summary, yes an ordinary user can obtain the rights of a "super user".

This is not good news, it's not intended as It Seems. First, you need a user account. At a minimum, an attacker Would need to-have on the target system a login and a shell account.

In addition, for once, this problem Does not affect older systems. Only Linux distributions using the 3.10 or later versions of the Linux kernel can be attacked This. Linux 3.10 is available since August 2013.

More specifically, the following distributions are theoretically vulnerable:

 CentOS Linux 7

CentOS Linux 7


Debian Linux stable 8.x (Jessie)

Jessie


Debian Linux testing 9.x (stretch)

stretch


Fedora 21

linux





Scientific Linux 7

linux


openSUSE Linux LEAP 42.x et version 13.x

open Suse


Oracle Linux 7

linux



Red Hat Enterprise Linux (RHEL) 7

RHEL


SUSE Linux Enterprise Desktop 12

SUSE Linux Enterprise Desktop 12


SUSE Linux Enterprise Server (SLES) 12


linux


Ubuntu Linux 14.04 LTS (Trusty Tahr)


trusty tahr



Ubuntu Linux 15.04 (Vivid Vervet)


vivid vervet


Ubuntu Linux 15.10 (Wily Werewolf)


Ubuntu Linux 15.10 (Wily Werewolf)



Even on these systems, the posted exploit does not work. I tried it myself on a Fedora 23 system with 8GB of RAM. This eventually locked the PC once the free memory is exhausted. Others report that the attack failed due to a memory exhaustion.

If this method can be exploited to attack 4.4 and later Android devices, such an attack, however, is meaningless. First, we must have the device in hand. Then it would take more memory than I have ever seen on an Android device. Finally, as Collection Point recognizes, "the full achievement requires 30 minutes to run on an Intel Core i7-5500 CPU." On Android, it would take more than a day. Clearly, there are simpler ways to deal with a smartphone or Android tablet.


Moreover, many, if not most Linux kernels have SMEP (Supervisor Mode Execution Protection) and / or SMAP (Supervisor access prevention mode) enabled. If these security measures can be circumvented, they add a layer of complexity to the successful exploitation of the flaw.
Yet the problem needs a solution. The patch is already available as source code. Most Linux distributions have provided the patch. One exception: Red Hat (January 20).

A solution that does not work, is to use the following command:

# echo 1 > /proc/sys/kernel/keys/maxkeys


This only works for keys created by the user and not the root keys. This is not a cure.
Instead, depending on your distribution, you should run the following command from the shell:


jeudi 24 décembre 2015

SME Server 9.1

SME Server 9.1


Terry Fage announced the release of SME Server 9.1, the first update to the stable branch 9.x distribution project for project server based on CentOS 6: "Koozali is pleased to announce the release of a new version of Koozali SME Server distribution. SME Server is designed for use on servers in small and medium enterprises and is based on CentOS.


linux


The latest version, SME Server 9.1, provides users with an update of the 9.x series of distribution and is based on CentOS Server 6.x. SME Server 9.1 introduces support for Windows 10 areas and includes OpenSSL package distribution upstream of the project. Major changes in this release: the features have been added to use a dummy network interface for the internal interface; set the update frequency to check for 'smecontribs' through server-manager; SSLv3 is disabled; added support for Windows 10 for EMS field

Download Link

pfSense 2.2.6 releasing

an update of the operating system based on
FreeBSD version made for firewalls and routers


Chris Buechler announced the release of pfSense 2.2.6, an update of the operating system based on FreeBSD Version made for firewalls and routers. This version is mainly a security update to correct problems with the user software-based browser interface and several recent OpenSSL vulnerabilities, it also upgrades the base system to the latest version FreeBSD "pfSense version 2.2.6 and is now available.

linux
pfSense


 This version includes some bug fixes and security updates. Security patches and errata: Web Interface (WebGui) - vulnerability when including the local file in pfSense WebGUI; captiveportal - golds SQL injection vulnerability disconnecting pfSense captive portal; webgui - multiple XSS vulnerabilities and CSRF; update to FreeBSD-RELEASE-p25 10.1; OpenSSL - OpenSSL multiple vulnerabilities in; update the worm strongSwan 5.3.5; includes the patch against the circumvention of authentication vulnerability CVE-2015 to 8023 in the EAP-mschapv2 plugin. 

As always, you can upgrade from a previous version directly to the 2.2.6. For those who already use a 2.2.x version , this is an upgrade low risk. For those on 2.1.x or earlier, there are a number of important changes that may affect you. Pay special attention to the 2.2 upgrade notes for details

New Linux Manjaro distribution

New Linux Manjaro distribution 15.12


Philippe Muller has announced the release of a new version of the Manjaro Linux distribution. The new version, Linux Manjaro 15.12, comes with Xfce 4.12 and 5.5 of the Plasma desktop KDE with a freshly polished system installer. "Significant changes in our tools: The Manjaro's kcm Settings module has been reworked; several improvements to PAMAC and Octopi; optimizations and corrections Manjaro-Tools; LVM problem has been fixed in seinde THUS. We have the following changes: Apps KDE has been updated to the 15.12 VirtualBox is now in vrsion 5.0.12, Mesa is the 11.0.8 version WINE to version 1.8 and the linux kernel to Version 4.4- rc6. Bumblebee is now set for OpenRC and ot small corrections made to the samba-share plugin Thunar.


linux
manjaro 15.12 
Download Link

jeudi 17 septembre 2015

Becoming familiar with Linux

Tux official linux logo
On The Blog "linux for us", many of you start in hacking and seek more information about programming.

Being a beginner is absolutely normal as I always say, what is not normal is that I had not yet done articles on hacking with Linux, this is done.

I will first answer questions often asked recently about Linux, before continuing:


"Do I need to use Linux to learn hacking? "

Let's say that hacking is committed to the spirit of free software. that is to say, permission to study, modify, duplicate the program source code. In fact, when we speak of free software, the user controls the free program in question and can share it. Linux is what is called a free operating system.

Here are the 4 principles of Free Software:

  • the freedom to run the program for any purpose;
  • the freedom to study how the program works and adapt it to their needs;
  • the freedom to redistribute copies of the program (implying the possibility as well to give than to sell copies);
  • the freedom to improve the program and distribute the improvements to the public, for the benefit of the whole community.
A "free software" is similar to an "Open Source Software", but free software is more than a philosophy question but the open source term is mostly used to refer to a development method in which reusing code source.

More information on Wikipedia: http://fr.wikipedia.org/wiki/Logiciel_libre

In hacking, we try to know the inner workings of programs and systems. For that we must have maximum hands on them, and proprietary software do not really allow it

Now know that there are also free software for Windows (like the famous VLC Media Player) even if Windows is not free itself.

Here is an infographic on some popular open source software:.

open source softwares
To conclude, the answer is the one that is often given when starting: It depends what you want to do and your level of curiosity.

Linux is not a system that must be used, but for hacking it is a system to see and know a minimum.

Once, use and stay on Linux rather than Windows is a choice that meets specific needs as well as a state of mind like specific free software. Typically games and other applications that you currently use probably will not be used in Linux.

"Do I need to use Linux to learn programming? "

Linux is just the system created by programmers for programmers. So you get several tools and working methods to program easily and quickly.

For example, many compilers are based on present Linux, you do not need any download before starting to program.

We often learn Linux programming because besides the fact that it is free, the better we get to study its behavior, the better we get to touch the system, you can also choose to change the system features blocked Windows (manager office, etc ...).

That said, Windows also allows programming for all types of platform, and it is not essential to use Linux to program.

Similarly for web languages, if you are programming for the web, use Linux or Windows will not change much.

So you notice that every issue concerning the use of one system over another, we always get advantages and disadvantages relative to another. So this is a philosophical difference.
So it's up to you to make the choice and to make the right choice I'll give you a tip:

Identify what you want to learn, at least your learning plan (eg I want to learn to create a site and then secure it and learn the server security, etc.), and then test Windows and Linux to see the one that will be more convenient to learn and thus to clear your mind.
A small note to finish: Using Windows, Linux and even Mac at the same time is not a problem, you do not have to tie you to a system once and for all, instead just try, be curious, be hacker.

"Are there less virus in Linux? "

Yes but.

In fact it is very simple, we still felt some time ago that there were 90% of Internet users who use Windows. This must still be today. Also remember when I said before Linux was created by programmers for programmers.

That means that most "inexperienced" users we typically call "lambdas users' use Windows, it is best for the creators of malicious programs to develop tools targeting Windows .

That is why there is more risk today is on Windows.

Believe that Linux (or MAC) it is invincible is a huge mistake. Attacks like Phishing, Social Engineering and so on are independent of the system, as distrust, vigilance and awareness.

Which is 99% secure is not secure

Start with Linux

I stop with theory, so I guess you decided to test Linux as beginner.

I will guide you quickly to get started with Linux, but I would not have time to go into all the details, a complete guide arrives for it.

We pass immediately to the practice with the Linux installation.

Linux can be decomposed as follows: The Linux kernel (kernel) and the entire software assembled around the core. The whole forms what is known as a Linux distribution. You're not going to "Download Linux" but download a Linux distribution of your choice.

 Linux is itself consistent with Unix specification, but is a separate system.

There are several Linux distributions just like several versions of Windows, some are targeted for beginners, others are specialized. Kali Linux (formerly BackTrack) is an example of the distribution specializing in pen-testing (penetration testing) that is used in the middle of for hacking (if you want tutorials on Kali, feel free to ask).

If the entire list of distributions interests you, I wish you a good reading.

So what is the best distribution for beginners?

Well I can not give you a precise answer, for me it's like the tastes and colors, some people love distributions others hate.

That said, it often indicates that Ubuntu and Mint are among the easiest to tame for a beginner.

Ubuntu is also one of the most popular distributions, and it is one I often used. So I'll use for the rest of this tutorial and invites you to do the same.

I insist that you need to test the distributions to find the one you like best, the principle is the same so once you have done with Ubuntu you can do it again with other distros.

UBUNTU Installation


To install Ubuntu, go here: http://www.ubuntu-fr.org/telechargement

Note: Each distribution has its official website, to download another, so just type its name on Google simply!

So click the download link and download the disk image (ISO) of Ubuntu.

A disk image is when you run it, as if you had placed a CD in your disc drive.

Now you have two main choices:

1. You install Ubuntu on a virtual environment

2. You install Ubuntu alongside Windows in dual boot

If you install Ubuntu on a bootable USB drive (your system is installed on a USB stick), the method is similar to the first choice. I redirects you to Linux Live USB Creator in this case: http://www.linuxliveusb.com/fr/home.

I will not talk about dual boot in this article, but the installation of a virtual environment.

Installing Ubuntu on a virtual environment

Usually you will rather want to test Linux before actually installing it on your system, if this is the case then you are in the right place.

Virtualization system will launch within Windows so emulated.

To install Ubuntu (or other Unix based system), you will first need what is called an operating system virtualization software. The most popular is VirtualBox.

Download VirtualBox

To download VirtualBox, please visit the official website at: https://www.virtualbox.org/wiki/Downloads and click "VirtualBox VERSION for Windows hosts."

Once downloaded, install VirtualBox in double clicking the downloaded program. VirtualBox will automatically install everything it needs, you may be firewall windows will appear asking you if you'll allow VirtualBox to use the network.

Simply allow all these actions.

Finally run Oracle VM VirtualBox.

In the main window, click New.



Then give a name to your virtual system, typically "Ubuntu" and click Next.

You must now choose the size allocated to this system. You always have Windows that is currently running on your computer, and you have the same amount of memory. We must decide how much memory is allocated for virtual system when launched.

VirtualBox often recommends himself a certain amount of RAM, 512MB are sufficient. If you really have a lot of RAM (6GB or more) you can switch to 1 or 2GB.


Then click Next.

In the screen that appears, select Create a virtual hard drive now and click Create.




In the window that opens, select the VDI and click Next.

Click dynamically allocated then click Next.

You can now select a name for the virtual hard drive or leave it as is. You can also decide how much space you allocate to the virtual system.

Remember we chose before the amount of RAM to allocate, now it is the space on the hard drive that will be shared with your current system.

Attention there are crash risks later if you do not allocate enough space, be sure to take at least 8GB or 10GB and choose more if you have enough space and click Create.

You will return to the main menu VirtualBox. It now remains to associate the virtual disk Ubuntu previously downloaded to the virtual machine.

For that select machine recently created, and then click the Configuration tab.



Note that Ubuntu does not know it is running in VirtualBox. If it requests authorization to "wipe disk" to settle, it clears the virtual disk (which incidentally is empty) and not all of your hard disk.

If you need help with VirtualBox, here Books Online: http://download.virtualbox.org/virtualbox/UserManual_fr_FR.pdf

You're now with Linux installed on your machine! Congratulations.

You should see something like this (depending on your version of Ubuntu here 14 04)


From now on, it is for you to practice as much as possible to become familiar with the system. You have an Office Manual comes with Ubuntu accessible via the top of the screen bar (right click). Otherwise click here to see it directly: http://guide.ubuntu-fr.org/

i will post a new article to explain how to use terminal, manual files, access rights, redirects ... and a bunch of other information to be up and running Linux (Ubuntu) quickly.



vendredi 11 septembre 2015

Wego: weather forecasts at any time in your terminal!

Having the weather on your desktop environment for GNU / Linux is a very easy thing by adding widgets and other applets, so how to do with those who just use the terminal?

weather

Wego: weather forecasts at any time in your terminal

Wego is a stylish weather app for the terminal. Thanks to a ncurses-based interface, this application allows you to see the conditions and forecasts at a glance. It retrieves the weather forecast for next 5 days weather forecast via API.

Install Wigo on your GNU / Linux distribution

Wego is written in Go language, so the first step is to install the Go language. After installation of Go, proceed to Wego installation.

GO Installation


  • Arch Linux / Manjaro :
  • sudo pacman -S go
  • Debian / Ubuntu :
  • sudo apt-get install golang
  • Fedora :
  • sudo yum install golang

Wego Installation

Copy these lines in a terminal:

go get github.com/schachmat/wego
echo 'export PATH="$PATH:$GOPATH/bin"' >> ~/.bashrc
source ~/.bashrc

Otherwise on Archlinux & Manjaro, use yaourt and it's all good 

yaourt -S wego-git

Wego requires an API key for weather forecasts. you can take the key from this site https://developer.worldweatheronline.com/ after registration.

You have to copy the key in Wego's configuration file:

nano ~/.wegorc
{
        "APIKey""COLLER-LA-CLE-ICI",
        "City""Paris",
        "Imperial"false,
        "Lang""fr"
}
Once the key is copied into the configuration file, just run Wego as follows:
wego