Archive for June, 2008


Restore Panel Bar(Top) in Ubuntu (GNOME)

The panel bar is extremely easy to be removed while user sometimes think that the right-click option “Delete This Panel” as the funtion to remove certain icon on the panel.

It is disastrous by removing this bar, especially for linux beginner users like me, as it is gonna be hard to access the applications.

It is easy to restore the panel:

1. press ALT+F2 and in the run dialog box, type gnome-terminal


In the terminal

2. gconftool-2 — — shutdown (no space between the dashes and no space between the dash and the word ‘shutdown’)

3. rm -rf ~/.gconf/apps/panel

4. pkill gnome-panel – That’s it!

Reference: Restore Panels In Ubuntu Back To Their Default Settings


Remote Access: (3) PPTP

PPTP (Point-to-Point Tunneling Protocol)

During old time when users connect to RAS (Remote Access Server), it is quite costly for phone bill, especially for geographically far location and huge amount of users dial in. To save cost, dial in via Internet is chosen, where PPTP, designed by Microsoft and 3Com is hence in place. On Microsoft PPTP connection, the operation is running on TCP port 1723. Further information plese refer to Microsoft: Understanding PPTP (Windows NT4.0) .

Note: Not initially support by Windows9.x/ME or NT4.0 but these OS (except Win95) can create L2TP connections using Microsoft L2TP/IPSec Vpn client add-on.

PPTP vulnerability

Negotiation data is not encrypted. Microsoft PPTP use a separate, unencrypted channel to for channel command, which used for open, close and maintain connection.

Only work over IP networks. It is gonna work in other network like AppleTalk (although everyone use TCP/IP today).

Buffer overflow: Microsoft PPTP Implementation Buffer Overflow Vulnerability.

The cryptography guru Bruce Schenier has a very interesting description about PPTP which can be read here.

Incompatibility with IPSec. IPSec as a loose definition of standards containing various protocol for secure VPN, has the advantage of flexible and security. Unfortunately PPTP is not compatible to it at all.


Remote Access: (2) TACACS, XTACACS & TACACS+

TACACS (Terminal Access Controller Access Control System)

Cisco’s old proprietary protocol for remote access which fit AAA model, it is hardly to see anyone using it now.

User connect to RAS server. RAS contact TACACS.

TACACS use UDP, not stable, thus TACACS+ was further designed as the replacement which use TCP.

TACACS+ (Terminal Access Controller Access Control System+)

Bear in mind that TACACS+ packet is not compatible with TACACS and XTACACS. Previous TACACS/X use one database for all AAA, TACACS+ use one for each. TACACS is the first version to offer secure communication between the TACACS+ client and server.

TACACS+ advantages:

Transport – TCP (more reliable connection)
Encryption – Both password and username is encrypted (RADIUS only encrypt password)
Protocols – Support AppleTalk and NetBios also
AAA – Can use different protocol for Access and Accounting (save bandwidth)
Compatibility – Better compatibility for multiple vendor than RADIUS

Vulnerabilities of TACACS+

  • Besides, TACACS + is designed with several cryptography weakness. Thus it is very vulnerable under sniffing activity.
  • Shared secret used between client and servers rarely change.
  • Lacking of integrity checking. There is no way to determined if the data is tempered.
  • Vulnerable to replay attack. TACACS+ sessions always start with sequence number of 1.
  • Session ID collision. TACACS+ is heavily depend on session_id. If multiple sessions get same session_id, it is vulnerable to frequency analysis attack. Consequently, it is possible to get TACACS+ server encrypt a replay packet using chosen session_id, which lead to further compromise of the tunnel encryption.
  • Session ID randomness with birthday attack. As the range of TACAS+ session ID isn’t very large. For an ISP handling 20,000 dialup sessions a day, there could be 100,000 session_id collisions in a year.
  • Lack of padding. As there is no fixed length for encryption. It is possible to revealing the length of the data (user password).
  • MD5 context leak. Due to theoretical vulnerability of MD5 hash, part of packet could be decrypted.

Detailed information could be found on An analysis of the TACACS+ Protocol and Its Implementation.


Remote Access: (1) RADIUS

RADIUS (Remote Authentication Dial In User Service) used to authenticate usernames and passwords. A RADIUS work alone or in distributed mode (hiearachy). In distributed RADIUS, RADIUS server forward the authentication request to an enterprise RADIUS server using protocol called proxy RADIUS.

Why RADIUS is popular? Because it support

  • Point-to-Point Protocol (PPP)
  • Password Authentication Protocol (PAP)
  • Challenge Handshake Authentication Protocol (CHAP)

RADIUS authentication consists of six steps:

Client/Server model using AAA (Authentication, Authorization, Accounting)

1. Users initiate a connection with an ISP RAS or corporate RAS. Once a connection is established, users are prompted for a username and password.

2. The RAS encrypts the credential using a shared secret, and passes the encrypted packet to the RADIUS server. The transaction is done via UDP. Only password is encrypted.

3. The RADIUS server attempts to verify the user’s credentials against a centralized database.

4. If the credentials match those found in the database, the server responds with an access-accept message. If the username does not exist or the password is incorrect, the server responds with an access-reject message. It would also response with access-challenge message if the information is insufficient for authentication.

5. The RAS then accepts or rejects the message and grants the appropriate rights.

6. RAS will then send RADIUS server Accounting request message like account type, priviledge etc. Accounting Response is replied by RADIUS.

RADIUS vulnerability

Buffer-overflow –Multiple Vendor RADIUS Digest Calculation Buffer Overflow Vulnerability

UDP – Since UDP is a connectionless protocol, thus the connectivity is not guaranteed (the connection could be dropped anytime without notice) and replay attack is applicable.