Another Internet Explorer exploit

Just released, another exploit to Internet Explorer 6 & 7, that allows “hackers” to install software on your machine… What do the major Antivirus people say:

“To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft,” Symantec said.

How many mom and pop’s out there even know how to disable java script, and only visit sites they trust? Let alone make sure their antivirus definitions are updated. I have seen some virus trick Symantec’s AV in to thinking the definitions were up to date, and then I go to find hundreds of virus’ on my parents computer. This is just another reason why building the web browser in to the OS is a bad thing and why it should be sandbox’d off in to its own little area.

iPhone security patch

It seems that Apple finally released a patch for the iPhone about the security issue I wrote about back on May 1st (More Security Stuff)

From Apple’s Web Site:

WebKit

CVE-ID: CVE-2009-2797

Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0

Impact: User names and passwords in URLs may be disclosed to linked sites

Description: Safari includes the user name and password from the original URL in the referer header. This may lead to the disclosure of sensitive information. This update addresses the issue by not including user names and passwords in referer headers. Credit to James A. T. Rice of Jump Networks Ltd for reporting this issue.

Not sure when James reported it though. So I don’t know if I found it before him or not. Anyways, here is my suggestion, if you use an iPhone and have EVER logged in to a web site with a username and password, you need to change that password immediately and then apply the patch from Apple to your iPhone. I know there are some people who view my site that use an iPhone and are clicking on links from other websites, therefore sending your username and password to me as well.

OpenVPN between Solaris and MacOSX

I decided to see if I could get a VPN connection working between my laptop (running MacOSX) and my home server running Solaris 10. It turned out to be pretty easy to do a simple config. I am using OpenVPN. To compile the software on my Solaris box I needed to download 3 items:

  1. Virtual Point-to-Point (Tun) and Ethernet (TAP) devices driver. I got the version 1.1 from http://vtun.sourceforge.net/tun/ in source code form.
  2. LZO version 1.08 compression software from : http://www.oberhumer.com/opensource/lzo/download/LZO-v1/
  3. OpenVPN software, I am using the version 2.1RC because I wanted the version to match what I am going to run on the Mac. It can be downloaded from http://openvpn.net/index.php/open-source/downloads.html

Once I got everything downloaded, just compile the LZO, Tun, and OpenVPN:
I decided to have everything related to the vpn installed in /opt/vpn. One thing to note, I tried using the new version 2.x of LZO, and OpenVPN would not find it, so I had to use Version 1 even though 2 is supposed to be supported. So I did the following to compile LZO:

gzip -d lzo-1.08.tar.gz
tar -xvf lzo-1.08.tar
cd lzo-1.08
./configure --prefix=/opt/vpn/lzo
make
sudo make install

Next was to compile TUN

gzip -d tun-1.1.tar
tar -xvf tun-1.1.tar
cd tun-1.1
./configure --prefix=/opt/vpn/tun
make
sudo make install

Only issue with tun was that it did not use the –prefix, it puts everything where it needs to be in /usr/kernel/drv on solaris.

Next is openvpn:

gzip -d openvpn-2.1_rc19.tar.gz
tar -xvf openvpn-2.1_rc19.tar
cd openvpn-2.1_rc19
./configure --prefix=/opt/vpn/openvpn --with-lzo-headers=/opt/vpn/lzo/include --with-lzo-lib=/opt/vpn/lzo/lib
make
sudo make install

Once that is installed I did the simple 1 to 1 vpn connection (static key) for just testing to see if it would work. So in the /opt/vpn/openvpn/sbin directory I did this:

cd /opt/vpn/openvpn/sbin
./openvpn --genkey --secret static.key

I then copy that key to my client via some “secure” means

Then created a server.conf that looks like this:

dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
cipher AES-256-CBC
keepalive 10 120

On my client (MacOSX) I downloaded Tunnelblick from http://code.google.com/p/tunnelblick/downloads/list and installed it. Next I copied that static.key from the server to the client and put it in ~/Library/openvpn. I also created a openvpn.conf in that directory that looked like this:

remote a.b.c.d
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
cipher AES-256-CBC
route 10.0.0.0 255.255.255.0

In the above, a.b.c.d represents my public IP address for my solaris server.

Now when you start tunnelblick it will search that directory and find that config file and ask if you want to load it. But we are not quite ready to start yet. The next thing I had to do was forward port 1194 UDP off of my router to my OpenVPN server. I will leave this exercise to you. You will also need to make sure IP forwarding is enabled on the Solaris 10 server (because I only have 1 network card in it, but “two” different networks on the box. IP Forwarding will allow your remote machine to be able to see your local network. And since my OpenVPN server is not the router for the entire network, I had to add a static route on my router to say that 10.8.0.0 is available via the openvpn servers local network address, I.e. 10.0.0.1.

You should be able to start the openvpn server now:

/opt/vpn/openvpn/sbin/openvpn server.conf

Once it is started you can use tunnelblick to connect. Once you are connected, you should see that is is connected and the icon has changed from this:
Picture 3
to look like this:
Picture 2

You should also see a tun0 device show up:

ifconfig tun0
tun0: flags=8851 < up ,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST > mtu 1500
	inet 10.8.0.2 --> 10.8.0.1 netmask 0xffffffff 
	open (pid 608)

You should now be able to see all your hosts on the “remote” network. Next up I am going to work on doing the pki infrastructure so I can hopefully link other clients both static and dynamic.

This make is really nice to be able to see your “home” network while you are away.

More nambu security issues

So as if it weren’t bad enough that every message you send is logged with your username and password in the system.log… They decided to log the userid and password in clear text in the sqllite database that it stores information in. Funny all you have to do is a:

strings ~/Application Support/Nambu/Nambu.db

and the second line will contain your userid and password. They keep saying that it is because they are in beta, and when they move to production, it will go to the encrypted keychain, yadda yadda yadda. But these little things should have been done from the begining… Just wondering why people do stupid security stuff like this…

More security stuff

Because I am in that sort of mood tonight I started looking at other log files to see what kinda crap I could find.

So it appears that the iPhone has a bug where it seems to like to send the Userid and Password for Websites that you log in to as a referring link if you click on an outside link from inside an protected place.  Say what?  Well let me explain some more:

Say I set up a password protected web site that uses an htaccess style password protection. I then go to that web site, say http://somecoolsite.com/protected. If the userid and password is stored or used in the URL, say I had the user id of unixwiz and my password was IamCool, and I went to the web site with http://unixwiz:[email protected]/protected… Once inside the protected site, I then click on a link to some external site, for example http://mycoolsite.com, the iPhone is sending the refering URL as http://unixwiz:[email protected]/protected/ .. Which you guessed it, shows up on mycoolsite.com’s access log if they have referrer logging set up, or are doing anything that captures referr data. I would be interested in seeing if it still does it if you are prompted to enter your username and password and not save it.  How cool is that, with the amount of people using iPhone’s now, wonder how many people are looking at the logs to see this sort of data….

FWIW