Everything, Everything - May 2017

2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Running Solaris 10 x86
Saturday 27th May, 2017 08:27
Solaris 10 x86 isn't the easiest of operating systems to install, particularly the first few versions. The original GA release doesn't use grub, which seems to cause some issues running it under Hyper-V and possibly some other virtualisation (and real?) software. The original GA release also fails to install nicely under VirtualBox using graphical or text based installation; the workaround is to use the console and pipe the output to a pipe so you can install it that way. Thankfully the U1 release fixed the kdmconfig bug and moved to grub.

Great, so now U1 is installed, and it's time to reboot. Up comes Solaris's grub, then comes a reboot (or an error). This happens under Hyper-V and VMWare Workstation (I've not tried VirtualBox). Why's this happening? It appears that the "failsafe" option works fine as it's using the x86 kernel, but the main version that grub's trying to run is the x64 version. Probably because your CPU is x64. In theory that should be fine, but this is an old version of Solaris we're talking about. But as you're using grub, it's trivial to edit the grub menu at boot to force it to temporarily load the 32-bit x86 kernel by adding the string "kernel/unix" at the end. Once you're into your CDE desktop as root, you can manually edit menu.lst to make it a more permanent fix (as it may get wiped during an upgrade).

With your vulnerable version of Solaris up and running, you can now "telnet -l -fbin" into your host and copy across some of raptor's exploits to gain root. Tip: The raptor scripts expect gcc to be in your path, and will fail if this isn't the case. You can either edit your PATH or you can edit the scripts to point them directly at gcc on your system (which should be at /usr/sfw/bin).
Monday 22nd May, 2017 23:42
Tried out the MS17-010 exploit in MSF against Windows 7 RTM earlier today. Much DoS. No WIN. Definitely not hugely reliable.
Patching Legacy Operating Systems
Sunday 14th May, 2017 12:29
With the WannaCry ransomware spreading across organisations, I have sympathy for those that are unable to install patches or upgrade operating systems when it results in an unreasonable expense and disruption to people. But this should be a handful of situations such as vendor hardware tied into poor support contracts (e.g. MRI machines). However, such hosts should be mitigated through the use of network segregation and potentially relay hosts that prevent sensitive network protocols (e.g. SMB) from being directly exposed. You could even stick IPS devices in place. All of that adds protection without having to buy tens of millions of pounds of new hardware.

I have much less sympathy for those running unsupported operating systems through choice, or those running legacy OS under valid support contracts (e.g. paying MS for XP support, or running POSReady 2009) that simply haven't patched their systems in a timely manner. Patches have been out for two months. You should have patched immediately. Thirty days is perhaps more reasonable. But two months after a well publicised vulnerability and your hosts are still vulnerable?

And that's ignoring the fact these systems have SMB ports exposed. Sure, over a management network that may be possible, but it sounds like many hosts may not even have the firewall enabled.

I've seen some criticism of Microsoft for only releasing the patch publicly after the worm has caused massive disruption. Part of me wishes they hadn't undermined their own support contracts with paying clients, but I'm mostly glad they understand the greater good for the Internet (and maybe their reputation with the general public) if they can prevent future comprises (even if people choose to use unsupported OS for even longer). Should they have released it sooner? Maybe, but hindsight is a wonderful thing.

Just like the person behind MalwareTech, who accidentally stopped the worm by registering a domain, people don't always know the consequences of their actions. It's a relief to me that the person registering the domain didn't cause the malware to delete files and trash Windows instead of encrypting files.
Saturday 13th May, 2017 21:55
Did Belgium mention danger zone? I thought that was meant to be a good song? Wasn't too impressed. https://t.co/d678shSAaJ
Saturday 13th May, 2017 21:43
Sorry Romania, the only good song containing yodelling is Wind It Up by Gwen Stefani. Can't believe that was over a decade ago!
Saturday 13th May, 2017 21:16
Over halfway through Eurovision and I've yet to hear a good song.
Saturday 13th May, 2017 20:53
Are there any legal consequences if you register a domain used by malware and the killswitch destroys data instead of not encrypting it?
Tuesday 2nd May, 2017 07:42
But you may not get a patch for your out of warranty system. Possibly time to upgrade your Intel computer? https://t.co/1K1Y5CVLAD
© Robert Nicholls 2002-2018
The views and opinions expressed on this site do not represent the views of my employer.