James D. Stallardblog

Today I received an email from a buddy of mine, who unwisely uses the AVG (www.avg.com) antivirus software. On the bottom of his email was attached this signature:

Internal Virus Database is out of date.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.9.17/1847 - Release Date: 13/12/2008 16:56

So, all anyone has to do is work out which bits of malware are not covered by this version of the database and send it to him to virtually guarantee infection.

Clearly AVG are doing this to shame him into updating his AV; or in his case, purchasing a subscription to take him beyond the free trail received when he bought his new laptop.

Whatever the reason it is not a good idea to be publicising to the world that your AV is out of date and the version in use.

While investigating centralised automation of power management settings for Windows XP, I discovered that it is possible to use POWERCFG.EXE to create a new power management profile scheme with a name of greater than 32 characters. The resultant name cannot be enumerated by POWERCFG.EXE itself or the control panel applet POWERCFG.CPL, suggesting an unchecked buffer, with the possibility of a buffer overflow.

Issue concerns the following:
Windows XP SP3
POWERCFG.CPL v6.00.2900.5512
POWERCFG.EXE v5.1.2600.5512

The problem does not occur in Windows 2003 with the following file versions:
POWERCFG.CPL v6.00.3790.3959
POWERCFG.EXE v5.2.3790.3959

Recreate as follows (use a test machine):
. Command: POWERCFG.EXE /CREATE "012345678901234567890123456789012"
. Command: POWERCFG.EXE /LIST
. Note above command fails to enumerate the new scheme.
. Command: POWERCFG.CPL
. Note GUI fails to enumerate the new scheme.
. Go to HKEY_CURRENT_USER\Control Panel\PowerCfg\PowerPolicies to remove the new scheme, it will be listed under the ID of the highest number.
. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies and remove the key of the same ID as above.

I was developing a tool to perform central management of Windows XP Power Management Settings, to allow a client to reduce their carbon footprint (apparently there are awards to be had for this sort of thing). I had originally planned to create a new power management scheme with the required settings, but in light of the above have opted instead to change the profile of the builtin scheme "Home/Office Desk" as that is always referenced with the numeric ID 0 and already exists on all Windows XP machines. The project was a success and for those interested, further information is available here: http://www.leafgrove.com/news.asp?id=9&articleid=20.

It’s also interesting to note that each time a new scheme is created with the POWERCFG.EXE /CREATE command, it is assigned a unique decimal ID number incremented from the previous one, even if deleted. I'm therefore of the opinion that it might also be possible to overflow another buffer by creating enough new schemes to push the ID beyond the number that can be enumerated by the EXE or the CPL and potentially permanently break the functionality. It remains to be seen if this one will run as far as the malformed malicious ANI issue discovered in March 07 (BuqTraq ID: 23194).

For the benefit of the record, I am very pro-police and very anti erosion of privacy.

The clamour for removal of around 1,000,000 records from the UK national DNA database is a disaster for the police.

There are so many records in the database, and the Police are so bogged down in paperwork, that they have resorted to DNA as the first and almost the only line of enquiry. DNA has become the evidential panacea to the Police and public, when it is far more susceptible to tampering than almost any other kind of evidence.

This has of course resulted in an unacceptably large number of wrongful arrests and wrongful convictions as contamination during collection, analysis and processing is married to the significant number of inaccuracies in the source database itself.

The reasons for the disaster is as follows:

. Innocent people will no longer be available to accuse without actually doing some police work to go and at least check an alibi before arrest. The Police are so tied up with pointless paperwork and targets only a committee could have come up with, that they don’t have the time to go and be Policemen.

. There is a significant risk that inaccuracies in the source database will cause the records of the guilty to be thrown out with those of the innocent. Paradoxically, this will be used an excuse to keep the records of the innocent in the database.

The problems with a pervasive database of DNA are many and serious:
. You as an innocent party can (and will) be accused at any time of any crime, because a small particle of you, floating on the wind, happened to settle in an inconvenient place. Having been accused, the accusation will be kept on file for ever and will be made available to the criminal records bureau (even though you are innocent of any crime) who will silently and without recourse, bar you from any job involving contact (and potential contact) with children or other vulnerable members of society. It has been estimated that one quarter of all jobs in the uk will come under CRB checking, so you could be forced out of work for the rest of your life.

. No one in the civil service cares one iota about who gets their hands on our personal data, because they are not personally held responsible for it’s safety. History has proven time and again that no responsibility and no accountability, absolutely guarantees that sensitive data will fall into the public domain. If a criminal has your DNA records, who knows what they could be used for. Without exclusive access to the one thing that proves who you are, you have no way of resurrecting your identity after yet another security breach.

. This government has created thousands of laws criminalising various behaviours, but done nothing to stop the causes of those behaviours. It has passed laws to make it illegal for you to deny the Police a DNA sample on arrest (on the grounds of breach of privacy, for instance), but has done nothing to criminalise abuse of the records it collects. This has (as in every case) caused otherwise law-abiding people to be branded criminal for simply protecting their privacy in the most innocuous (and previously acceptable) fashion.

The day we are forced to contribute to a national DNA database of every citizen, is the day the innocent and law-abiding start to leave the country. To stop the bad-guys from escaping, would the last one out please close the door.

Is it me or is there a deafening silence, where there should have been celebration?

The long-time bug in DNS that allowed cache-poisoning and effectively allowed an attacker to hi-jack a legit website for their own needs has existed since the start of DNS. The bug is well known and is the result of less-than-perfect design of the solution itself - interestingly not really the fault of the vendors writing DNS Server applications.

Ok, so the bug has now been addressed by the major and most of the minor vendors. The celebration point is that dozens of vendors (many in direct competition) all got together and released a fix for the same bug, AT THE SAME TIME. Think about that for a second, that single fact is nothing short of miraculous. I have to wonder if this example of large-scale global collaboration by vendors is a statistical blip, or the sign of things to come.

I have written previously on how to quickly create a free, secure and fast VPN solution on Windows Server 2003. Having just migrated my own VPN to Windows Server 2008, I thought I should do a new article for the more recent operating system. This version of the install requires only one network interface and therefore does not require configuration as a router, which simplifies the solution and makes it far easier to implement in todays subnetted networks.

This solution provides for proper 2 factor authentication, which makes it plenty secure enough for it's intended use - a quick and secure way to provide remote access to your network while the comms team sets up their enterprise class VPN solution. The solution is not perfect, primarily in it's requirement to manage the pre-shared key by hand - unworkable for more than a *very* small number of users.

I built this solution using a VM and total configuration and testing time is comfortably under an hour.

First, deploy yourself a fresh Windows Server 2008 VM; not forgetting to sysprep it (thus making sure you have a nice fresh SID!) if necessary and then join it to the domain, so it can authenticate users on the domain.

After logging on as an administrator for the first time, the server manager should open up and allow you to install additional roles. The roles wizard is excellent, but a little mickey mouse for those of us that know what we're about.

If you are using a VM and have the capability, you might want to take a snapshot of the machine at this point in case you want to start again.

Install the Role
Open the Server Manager (right-click on my computer and select manage).
Start the roles wizard by expanding out the left hand menu, selecting roles and clicking the add roles button.
Select the Network Policy and Access Services check box and click next through to the role services dialog.
Select only the Remote access service and click through to install.

Configure RRAS
Once complete, close the role wizard and from the administrative tools menu, open routing and remote access.

Verify the machine name in the snapin is correct and right-click on it, selecting configure and enable to start the wizard. It's worth noting here that if you want to fry the config and start again, you can right-click on the server name and select disable routing and remote access to completely clrea the RRAS config.

Unless specified, from now on leave all the default settings and only change what is decribed below:

Select Custom Configuration
Check VPN Access Only
Finish and start the service

Right-click on the server and select properties:
Server Properties
General Tab: Enable this computer as a: (IPv4) Remote Access Server, uncheck everything else

Security Tab: Authentication Provider: Windows Authentication
Allow custom IPSEC policy for L2tp connection (enter a long passphrase to act as shared key, save this for entry into the client

setup)

IPv4 Tab: Enable IP forwarding
This server can assign addresses by using DHCP
Enable broadcast name resolution

PPP Tab: Check all

Logging Tab: Log all events

Ports Properties
Uncheck all connections boxes for everything other than L2TP and where required, set maximum ports to 1 or 0
L2TP: Remote access connections (inbound only)
Uncheck everything else
Maximum ports: 10 (or whatever you think you'll need)

IPv4 Properties
Routing: Only General and Static Routes, remove everything else
General Properties
Logging Tab: Log errors and warnings

Remote Access Logging and Policies
New Network Policy
Policy Name: "Permit Windows VPN Access"
Policy Condition: Tunnel-Type matches "Layer Two Tunneling Protocol (L2TP)"
Policy Condition: Tunnel-Type matches "Point to Point Tunneling Protocol (PPTP)" (only if you require it)
Access is determined by user dial-in properties (IE set on the Dial-In tab of the user account)
Configure Authentication Methods
Check: Microsoft Encrypted Authentication v2 (MS-CHAP v2) (and user can change password feature)
Check: Microsoft Encrypted Authentication (MSCHAP) (and user can change password feature)
Uncheck everything else on authentication methods
Default remaining settings

Don't forget to remove any snapshots you created as they are no longer required.

Once the setup is complete you will need to open the firewall and configure a public facing IP and preferably a prublic DNS entry too. If this is your home connection and you have no fixed public IP or public DNS then you can set your firewall to accept the connections and static map the ports straight through to your new VPN server.

Firewall Configuration Settings
L2TP Inbound Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
PPTP Inbound Requirement: Protocol 47, PPTP TCP 1723
Configure the firewall to allow any source to access the firewall on the above ports and the rule to map the results to the internal IP of the VPN Server.

To configure the Windows VPN Client
New Connection Wizard
Connect to the network at my workplace
Virtual Private Network Connection
Set the connection Name "My VPN"
Decide if a dial-up connection is required first
Enter the IP address/DNS Name of the VPN Server

Connection Properties
Options Tab: Check all Dialling Options
Security Tab: IPSec Settings
Use pre-shared key for authentication
(enter text to act as shared key, same as that entered above)
Security Tab: Everything else, leave as default
Networking Tab: Type of VPN L2TP IPSec VPN or PPTP if you configured it above
Networking Tab: Everything else, leave as default

There, all done. I've used this in a few places and because the setup is so quick and easy, on the very rare occasions when it goes wrong, it's actually quicker to fry the config and start again than to try and diagnose what went wrong.

Having migrated this blog to Windows Server 2008 I was checking the logs and noticed that the mail.asp pages was being abused to try and send me spam email.

This has been going on for a while, but my mailserver knows the difference between legit comment and muppets posting porn site links and I never received the duff email. However, I felt that I should be doing something to stop this behaviour.

To this end I've modded the email response page to break the typical attempts and stop it from working. If you also run BlogX and want to know how this was done, please drop me a line.

Of course, there are a variety of methods of doing this, so I will have to see how successful my first try was. It's likely I'll have to brush off more of my rusty ASP to solve it permanently.

Update: My first try was not that successful and about 80% of the bot-based spammers was able to get through. However, my second attempt makes use of the server itself to detect the source of request and block anyone not using the page for legit comment.

I have emailed the author of the blog software who will be implementing a verification methodology where users are required to confirm over email - thus neatly removing any false/spoofed addresses and their messages. This will be available once Matthew1471 has finished his finals!

Recently, my Lacie Ethernet Disk (perhaps the cheapest server based storage money can buy) has been shutting down spontaneously. There was no fixed time or set of curcumstances and nothing in the logs other than the usual "shutdown at blah was unexpected" messages in the event logs. Sometimes it would stay up for a week, sometime not even 20 minutes.

The problem turned out to be the weather and was solved by moving it from the top of the rack to the middle.
Confused? Here goes...

The Lacie is not a particularly robust bit of kit internally, and the large disks generate a fair bit of heat. This is probably why the casing is metal as aluminium is an excellent conductor of heat, where plastic isn't. Overly high internal temperatures in the Lacie cause it to power off. My Lacie was sat in the top of my rack, the rest of the space being taken up by servers and the like.

My server room used to get very hot in summer, but last year I put in AirCon and things have much improved - but the unit is only 7Kw capable and the heat is not entirely dissipated from the rear of the rack due to lousy air circulation. The big servers are full of fans and cope fine, but the Lacie is a little more sensitive.

So, it turns out that when we have a bit of sun; as recently, the rack gets just hot enough internally to cause the Lacie to shutdown. I moved the Lacie to the middle of the rack where there is less heat and also where the ambient room temperature is lower and voila, it's been up for a while now and no issues.

I've had a few questions on my previous post on Re-purposing the LaCie Ethernet Disk, mostly around how I got the CMD.EXE window to appear at the beginning of the exercise.

So, to get yourself a CLI on the LaCie Ethernet Disk, you need to do the following:

Set the local admin username and password on the LaCie to the same as that on another machine on your network - or join it to an AD domain and log on to any other machine as a domain admin user.

Method 1:
Use the AT command on your other machine to create a job on the LaCie that will run in a couple of minutes time:

AT \\LACIE /interactive CMD.EXE 08:50

Where "LACIE" is the name of the LaCie server and "08:50" is some time a couple of minutes ahead of now. A command window will popup at the chosen time in the security context of LOCALSYSTEM.

Check your AT command with this command:

AT \\LACIE

If it shows as running tomorrow, pick a later time and do it again.

Method 2:
Remotely rename \\LACIE\C$\Windows\System32\logon.scr to logon.scr.old and copy cmd.exe to logon.scr.

Plug a keyboard video and mouse into the LaCie, reboot it and wait for 15 minutes, a command window will popup at the chosen time in the security context of LOCALSYSTEM.

Once you have the CLI, you can execute anything, including any .SCR, .MSC and .CPL you can find, so long as you specify the complete filename (such as COMPMGMT.MSC, or LOGON.SCR)

Either of these methods is equally suitable for gaining LOCALSYSTEM rights on any machine on your network and before RUNAS was available, it was the only realistic way of temporarily elevating your rights without logging off and back on with a privileged account.

I have long been an advocate of "Full Disclosure" of bugs and security issues in technology products. I believe that FD enforces an urgency on the part of the vendor to address the failures in their code and come clean about their shortcomings. Without FD we would not have had the Microsoft Trustworthy Computing Initiative and we would all be at greater risk than before from the silent hacker whose route in isn't publicised outside of the blackhat community.

Of course, FD increases the risk of the zero day attack (briefly discussed here), but that is a small price to pay for the vaste number of patches that would not be available if the vendors were allowed to keep quiet.

I was looking through my archives the other day and came across this quote from Jason Coombes in 2003:
"All vulnerabilities deserve a public fear period prior to patches becoming available"

What Jason was saying was perhaps open to interpretation, but the fact remains; without FD we would be in a far worse state security-wise than we are now.