Episode62

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Tech thingy segment

Gentoo Portage

Gentoo Portage is the default package manager for the Gentoo Linux distribution. Portage is directly based off the BSD Ports package management system except it has some improvements thrown in as well as management features that allow the user to have complete statisics and control over the packages installed on a Gentoo System.

It is completley written in Python and Bash. Since Gentoo is a source based distribution all that is required for processing of packages is simple scripting.

Portage is made up of ebuilds. Ebuilds represent the instructions for portage to download the sourcecode of a package, uncompress, patch, build and install the resulting compiled binaries. Ebuilds are simply a script to do all of the latter.

Because you are compiling from source you have complete control over how the packages are built, which compiler is used what options you want to compile into a package (for example QT or GTK support or neither).

You update the database of ebuilds by running emerge --sync. This will rsync your portage tree against a portage mirror and download/replace/delete ebuilds accordingly.

Portage makes maintaining your system extremely easy. To install a package, simply run 'emerge package'. For example if I wanted to install a PDF reader. I could first look at all the PDF related package by searching through the portage database.

I would run emerge --search pdf.

In the results I notice the xpdf package.

  • app-text/xpdf
     Latest version available: 3.01-r8
     Latest version installed: [ Not Installed ]
     Size of files: 2,625 kB
     Homepage:      http://www.foolabs.com/xpdf/
     Description:   An X Viewer for PDF Files
     License:       GPL-2


To install this package, you can run 'emerge xpdf'. This will download, unpack, patch, compile the source, then install the resulting binaries.

One of the major advantages to the Portage system, mentioned earlier, was the fact that you can tell portage what features of a program you want installed. Perhaps its printing support or taking out printing support. This is accomplished using USE flags. USE flags are setup in the make.conf file and any package you build through portage will use these defined flags from make.conf. I have the ability to define custom useflags on a per package basis or globally.

So if I want QT support in my system but not in a particular package I have the ability to specify that once at compile time or all the time via a file gentoo keeps in /etc/portage.

I can take a look at the USE flags that are avilable to the xpdf package by running 'emerge xpdf --ask --verbose'

--ask will pause the emerge script on the console and ask the user if they would like to continue. --verbose allows you to see all the details about the ebuild.

The xpdf package has a use flag called "nodrm" meaning I can choose to compile in or not compile support for DRM protected pdf's.

The alsa-tools package has use flags for GTK, in my case I do not want GTK support for this package so I have the option to do so.

Portage will also download / compile / patch / install all depdencies of apackage. It will manage all of this with just the emerge command.

There is no such thing as dependency hell in Gentoo. It is also very easy to upgrade packages.

To upgrade your system globally you can simply update your portage tree by running emerge sync then

'emerge --upgrade world'

this will scan all the packages you have installed, check which ones need to be upgraded, and download/compile all source and dependencies to upgrade that package. It will also automatically uninstall all binaries from each packages ourdated install.

Gentoo is also capable of slotted installs. For instance I run the ION window manager which reuqires Lua 5.1 as a depdnency. However Lua 5.1 is not backwards compatible with Lua 4.1. Howerver if I had a program that required Lua 4.1 to beinstall to work, and wouldnt work with Lua 5.1, I would have both Lua 4.1 and Lua 5.1 installed at the same time. Something you can't do with other distributions.

Gentoo is a meta-distribution, it will update itself inbetween releases. Hypothetical example, if I am running gentoo 1.0 and in 6 months gentoo 2.0 will be out, every day as packages are updated, which I update portage tree with emerge sync, and update my system I update incrementally torwards the 2.0 release. So you always just continue to upgrade day by day or week by week torwards another release.

Gentoo will just release a version 2.0 CD for new users, but you are already updated to version 2.0.

You could literally install gentoo 1.0, never update it until the release of Gentoo 2.0. then do an emerge sync, emerge --upgrade world and it would update all yoru packages including kernel to whatever versions of packages were in Gentoo 2.0

This means you never have to download an update CD or reinstall when major changes are made.

This is only a simple overview of what Portage brings to Gentoo and definitely not a guide to using Portage.

I suggest pulling up the Gentoo install handbook to Appendix B, Chanpter 1. "A Portage Introduction". This will go over in details portage, how it works, and the commands portage offers for proper use.

Investigating someone's Information disclosure? How about your information?

Hooray Captain Unknown Citizen!

Stories for Discussion

NOTE: Congratz to Randal Schwartz, for "nothing at all". Just who is Randall Schwartz and why are we congrats for nothing?

Stack Overflow Exploitation Explained - [PaulDotCom] - Very cool article on stack overflows. They also use a fuzzing tool called bed. Article also has some coverage on Ollydbg. Cool stuff. BTW, all of these tools are on the Backtrack CD

BackTrack 2.0 released - [Larry] - A must for your toolkit. Better ALFA USB wirless support now works with Intel macs and VMware!

fishy FiSH - [PaulDotCom] - FiSH, an IRC encryption plugin, contains some vulnerabilities, described as "stacksmashes everywhere". Reportedly these have existd for quite some time, like years. Quote: "The 90's called, they want their bugs back :-p". It can be summed up with one line of C "strcpy(contactName, word[4]);". Doh!

GPS Sniper rifle - [Larry] - Filed under who's Watching the Watchers. Not a sniper rifle for better GPS coordinates, but for injecting a GPS tracking device in life forms, without detection. Hurts less than a mosquito bite.

MOPB - Local Code Execution Exploit - [PaulDotCom] - A few interesting things here, first the exploit exists in PHP 5.2.1, the latest version. However, the included shellcode is for PHP 5.2.0 only. Finally, to prevent a remote file include, they included this line "die("REMOVE THIS LINE");". Nice, if you are a script kiddie, you may want to test your code before you execute it, but, you are a script kiddie and will probably be stopped by this.

Dancho's lowdown on botnet communication - [Larry] - A short intro to what I suspect is a longer, more in depth conversation. Keep an eye on this for more.

Manipulating FTP Clients Using The PASV Command - [PaulDotCom] - Cool paper which is able to do portscanning and banner grabbing using the FTP PASV command. Includes PoC.

Pwned by Wal-Mart? - [Larry] - Wal-Mart employee fired for "pretexting". Lots of FUD on this one. Discuss the methods potentially used, and how to protect against - WiFi, SMS, GPRS, Flex, POCSAG, VOIP, etc. Wal-Mart Exmpleyee fired for monitoring text-messages (SMS) - [PaulDotCom] - Yikes! I think getting fired is the least of this person's worries, as sniffing GSM is illegal (thanks Bill Clinton ala DMCA) we can't even try to develop technology to sniff it. However, the GNU Radio project and USRP are interesting projects. Makes me paranoid though, anyone with some EE experience and RF knowledge could use open-source tools to sniff really any wireless technology, barring encryption. Suddenly, I don't feel so safe using EVDO anymore.

RFID Passport Cracking - [Larry] - ...Adam Laurie at it again. This time the passport was never removed from the mailing envelope.

Pornographic SPAM hits all-time Low - [PaulDotCom] - What ever happened to "Sex sells"?

Citrix Client Arbitrary code execution - [Larry] - With the Citrix client installed, a maliciopus web page cen get the Citrix client to execute code as the logged in user.

SSID Cloaking Reduces Security - [PaulDotCom] - Says wireless security expert and good friend Josh Wright. Here's the deal, KB917021 gives users a new checkbox which says "Connect even if this network is not broadcasting". This means that clients will probe for non-broadcasting networks and fall victim to KARMA and furthermore disclosing the name of the SSID that was "hidden". This sparked some debate on the wifisec mailing list about whether or not SSID broadcasting, WEP, MAC address filtering are good security measures.

Your Wireless is showing - [Larry] - ...me about your secrets. Couple this with the cloak or not to cloak article, and MS patches for wireless.

Nothing to See here - [PaulDotCom] - Great analysis from Richard Bejtlich on how sometimes security analysts are always looking for the "conspiracy", when it could very well just be backscatter from a DoS. Sometimes we need to be reminded of this :)

Month of PHP Bugs - [Larry] - Psssst! PHP is insecure...so much so there are more bonus bugs than real bugs!

mod_security bypass - [PaulDotCom] - Like this one: A specially crafted POST request will go unchecked (or at least every byte after the ASCIIZ byte). Make certain you are running version 2.1.0+. NOTE to FreebSD port developers, upgrade ports!

Vladuz <3's eBay - [Joe] - "Vladuz's break-ins may be limited, but his work has been accompanied by what critics say is a sudden spike in the number of fraudulent auctions on the site. As evidence, they point to the sharply increased volatility in the number of auctions being offered, and then removed, from hour to hour since the end of January."

CA Virus Downgrade Vulnerability - [PaulDotCom] - Malware will typically try to kill anit-virus programs running on the infected system as its first step. This may not always go unnoticed. However, if you are able to downgrade the virus defs to install some more juicy malware, that may very well go unnoticed.

Security Flaws in Google Desktop and Google's Response - [Joe] - (Douglas Merrill is the CIO of Google):"Regarding security-flaw disclosure, Mr. Merrill says Google hasn’t provided much because consumers, its primary users to date, often aren’t tech-savvy enough to understand security bulletins and find them “distracting and confusing.” Also, because fixes Google makes on its servers are invisible to the user, notification hasn’t seemed necessary, he says."

Rsnake's XSS CheatSheet - [Joe] - This page is an awesome XSS vulnerability testing repository.

Other Stories of Interest