A blog on Computer Science, Security, Programming, and more...

HeapSpray Blog » Category: Security

«  2 / 2  »
23
Apr
2013

Security News - PostgreSQL CVE-2013-1899

Written by Matt

A little old by now, but I just remembered this and went to check that my PostgreSQL install is patched. There was a recent fairly severe security issue in the PostgreSQL daemon that makes it treat clients connecting to databases that have names starting with "-" as command line arguments, giving sort of local-level access to the client even if the daemon is not running on the same machine.

There's a full report on the severity of the vulnerability here: http://blog.blackwinghq.com/2013/04/08/2/.

I'd say this shouldn't matter for most people, as PostgreSQL in most cases would be run locally, or through a UNIX socket, where it's not accessible from outside of the machine, but most managed servers use over-network clustered database systems, and most people don't firewall their VPSes properly or bind to 0.0.0.0 which makes this exploit work in a lot more cases. As the above entry says, there are over 300,000 hosts listening on port 5432 (the default PostgreSQL port).

Fairly big oversight on the part of the PostgreSQL developers.

Topic: Security tags: postgresql, RCE, DoS, CVE
0 comment(s) on this post »
23
Apr
2013

Service Fingerprinting

Written by Matt

Why is it that most services and daemons feel the need to relay their exact version and signature every time? It serves for statistics, but it does draw on security quite a bit when one knows everything about your setup from a GET request.

Compare the response from my local apache server that I used for development to the secure one I set for this server.

Default (more or less) Apache:

HTTP/1.1 200 OK
Date: Tue, 23 Apr 2013 03:04:29 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8r DAV/2 PHP/5.3.6 SVN/1.6.16
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "2a5ec-2c-3e9564c23b600"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html

Customized response (I had to edit nginx's source for this):

HTTP/1.1 200 OK
Server: Anonymous
Date: Tue, 23 Apr 2013 03:06:07 GMT
Content-Type: text/html
Connection: close
Set-Cookie: [...]
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

The former relays exact versions of 6 services which could be exploitable. For bots that scan the 'net passively and attempt canned exploits, reading the headers for which service versions are available would make them far more efficient. This masking won't do much to stop a single, focused attacker (though it won't hurt), but it does help a lot as far as guarding against passive exploitation scans.

Topic: Security tags: php, nginx, apache, http, bots
0 comment(s) on this post »
«  2 / 2  »