Re: Debian Investigation Report after Server Compromises
On Monday 08 December 2003 18:20, Colin Watson wrote: You can go further by requiring physical presentation of smartcards or similar in order to use the key, which is less convenient but makes a passphrase more or less useless on its own. Aren't smartcards similar to dongles in some respects? They both have a guard point in the software that identifies good guys and bad guys. If so, then given that dongles are reverser bait, won't smartcards meet the same fate as dongles? They'll become a wall trophy over the mantle of a reverser. It seems that anyone capable of a stack overflow exploit is also capable of reversing out a smartcard checkpoint. Please tell me I'm being too negative. -- Mike Mueller 324881 (08/20/2003) Make clockwise circles with your right foot. Now use your right hand to draw the number 6 in the air. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, Dec 10, 2003 at 11:35:12AM -0500, Mike Mueller wrote: On Monday 08 December 2003 18:20, Colin Watson wrote: You can go further by requiring physical presentation of smartcards or similar in order to use the key, which is less convenient but makes a passphrase more or less useless on its own. Aren't smartcards similar to dongles in some respects? They both have a guard point in the software that identifies good guys and bad guys. If so, then given that dongles are reverser bait, won't smartcards meet the same fate as dongles? They'll become a wall trophy over the mantle of a reverser. It seems that anyone capable of a stack overflow exploit is also capable of reversing out a smartcard checkpoint. Please tell me I'm being too negative. If you're doing this halfway properly, you don't do the communication with the smartcard in host-side software; you do it in firmware running on separate and physically protected hardware. Since that hardware is the same hardware that stores the key and allows/denies access to it, altering things on the host isn't going to help you get at the key. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Mon, Dec 08, 2003 at 05:25:38PM -0800, Karsten M. Self wrote: on Mon, Dec 08, 2003 at 11:13:07PM +, Colin Watson ([EMAIL PROTECTED]) wrote: My understanding is that the developer's account on the machine in question had been disused for some time, and that the machine wasn't very well-maintained. It could have been any one of a dozen local root exploits that have been known for some time. I think they investigated, but the results weren't particularly earth-shaking. Any indication of whether or not this was a local system or a remote system? I don't quite understand the question, sorry. If you mean local/remote with respect to the developer, I believe it was remote. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
on Tue, Dec 09, 2003 at 02:03:43PM +, Colin Watson ([EMAIL PROTECTED]) wrote: On Mon, Dec 08, 2003 at 05:25:38PM -0800, Karsten M. Self wrote: on Mon, Dec 08, 2003 at 11:13:07PM +, Colin Watson ([EMAIL PROTECTED]) wrote: My understanding is that the developer's account on the machine in question had been disused for some time, and that the machine wasn't very well-maintained. It could have been any one of a dozen local root exploits that have been known for some time. I think they investigated, but the results weren't particularly earth-shaking. Any indication of whether or not this was a local system or a remote system? I don't quite understand the question, sorry. If you mean local/remote with respect to the developer, I believe it was remote. That's what I was asking, yes. Thanks. Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Bye bye boys! Have fun storming the castle! - Princess Bride pgp0.pgp Description: PGP signature
Re: Debian Investigation Report after Server Compromises
On Wed, Dec 03, 2003 at 06:08:54PM -0700, Monique Y. Herman wrote: After reading a few more responses, I realize that of course a debian developer's machine could get compromised. I guess I just thought they were infallible *grin* Now, the real question is, what exploit was used to get onto that dev's machine in the first place? My understanding is that the developer's account on the machine in question had been disused for some time, and that the machine wasn't very well-maintained. It could have been any one of a dozen local root exploits that have been known for some time. I think they investigated, but the results weren't particularly earth-shaking. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, Dec 03, 2003 at 09:46:21PM -0500, Carl Fink wrote: On Wed, Dec 03, 2003 at 05:52:30PM -0800, Vineet Kumar wrote: I'm considering keeping my private keys (ssh, gpg, etc) on removable storage, maybe one of those USB keys (then my keys could actually go on my keyring...). It's certainly not foolproof, but at least a sniffed passphrase could only be used against me when the key is inserted, which at least slightly reduces the possibility of a private key being compromised. If the system is rooted, it would be trivial to write a replacement for ssh (GPG, etc.) that copies your private keys onto the hard drive for later retrieval. Definition of trivial is: I, a bad programmer, could do it. What you'd actually want is hardware that stores the keys and does the signing and decryption for you, but refuses to expose the private key material itself to the host. Then, while a cracker could sniff your passphrase, the key itself would still be safe after the machine had been re-secured. You can go further by requiring physical presentation of smartcards or similar in order to use the key, which is less convenient but makes a passphrase more or less useless on its own. (Disclaimer: I work for such a company, although you'd probably have to do a bit of work at the moment to integrate our hardware smoothly with gpg and ssh.) -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
on Mon, Dec 08, 2003 at 11:13:07PM +, Colin Watson ([EMAIL PROTECTED]) wrote: On Wed, Dec 03, 2003 at 06:08:54PM -0700, Monique Y. Herman wrote: After reading a few more responses, I realize that of course a debian developer's machine could get compromised. I guess I just thought they were infallible *grin* Now, the real question is, what exploit was used to get onto that dev's machine in the first place? My understanding is that the developer's account on the machine in question had been disused for some time, and that the machine wasn't very well-maintained. It could have been any one of a dozen local root exploits that have been known for some time. I think they investigated, but the results weren't particularly earth-shaking. Any indication of whether or not this was a local system or a remote system? I understand that password reuse was part of the problem -- the developer's password(s) on the initially compromised box matched password(s) used on other systems. I strongly recommend the use of password generation tools such as pwgen, gpw, or the PalmOS Cryptinfo program, and use of an encrypted archive for password storage -- again, Cryptinfo, which can be used both on handheld or via JPilot -- or an encrypted textfile for which Joey Hess posted a cool vim hack some time back. I've tested output of pwgen for uniqueness (a measure of strength of the passwords generated). One such test: pwgen 8 10 | sort | uniq -c | wc -l ...which generates 1 million passwords, and checks to see how many are unique. I typically see 98.7% using pronounceable passwords, far better when using fully random ones or longer keys. The pronounceable passwords are relatively memorable. Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home.netcom.com/ What Part of Gestalt don't you understand? What's so unpleasant about being drunk? You ask a glass of water. -- HHGTG pgp0.pgp Description: PGP signature
fingerprints Re: Debian Investigation Report after Server Compromises
On Mon, 8 Dec 2003, Colin Watson wrote: What you'd actually want is hardware that stores the keys and does the signing and decryption for you, but refuses to expose the private key material itself to the host. Then, while a cracker could sniff your passphrase, the key itself would still be safe after the machine had been re-secured. You can go further by requiring physical presentation of smartcards or similar in order to use the key, which is less convenient but makes a passphrase more or less useless on its own. you can also use a [warm blooded] fingerprint scanner ... since smartcards can be lost .. - but if you lose your finger or you lose your fingerprint on a glass with fingerprint stealing glue, you're in deep kaka anyway - the scanners isa bout $200 or so ( sony/nec has um ) and somebody has the fingerprint scanner built into the keyboard - we did it also with twane 8.5x11 scanners a few years back ... have fun alvin (Disclaimer: I work for such a company, although you'd probably have to do a bit of work at the moment to integrate our hardware smoothly with gpg and ssh.) -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fingerprints Re: Debian Investigation Report after Server Compromises
Alvin Oga wrote: [SNIP] you can also use a [warm blooded] fingerprint scanner ... since smartcards can be lost .. - but if you lose your finger or you lose your fingerprint on a glass with fingerprint stealing glue, you're in deep kaka ^^ anyway [SNIP] I believe it is spelled caca. -Roberto pgp0.pgp Description: PGP signature
Re: The lost cramfs patch (was: Debian Investigation Report after Server Compromises)
Hello Benedict! On Sun, Dec 07, 2003 at 03:15:22AM +0100, Benedict Verheyen wrote: I found a mail on the developers mailing list that shows how to make an initrd without the cramfs patch. One can use the following in the mkinitrd.conf file: MKIMAGE=genromfs -d %s -f %s This would mean that the lost cramfs patch can remain lost since one doesn't really need it :) Right :) BTW, I just read on current debian-devel about this: |MKIMAGE='genromfs -f /dev/fd/1 -d %s | gzip -9 %s' |The above is a better option. I guess you meant the Initrd rocks!-subthread... Cheers, Flo pgp0.pgp Description: PGP signature
Re: Debian Investigation Report after Server Compromises
- Original Message - From: csj [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 07:56 Subject: Re: Debian Investigation Report after Server Compromises On 4. December 2003 at 3:22PM -0600, Hoyt Bailey [EMAIL PROTECTED] wrote: From: csj [EMAIL PROTECTED] [...] Now I'm curious: is it possible to get rooted while on dialup? I'm thinking of a user with access to a slow but dirt cheap dialup connection and so is online for significant stretches, say, eight hours. This also assumes that no trojans or similar have been installed on the user's system. FYI. As one who has caught several virisus. It can happen on dialup and it has always happened to me while downloading virisus definitions from Norton.com. I dont believe that norton was infectied. Therefore it came from somewhere else. Hoyt Getting rooted, a targeted attack, is different from getting infected by a virus. The only *n*x viruses I've read about tend to be proof of concept. Of course they could be made part of an attack... Agreed but if the viruses is directed by an intellegience instead of being a random thing then it becomes a targeted attack. The question was is it possible to infect a dialup system? Answer: Yes. Hoyt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
- Original Message - From: Hugo Vanwoerkom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 12:47 Subject: Re: Debian Investigation Report after Server Compromises Hoyt Bailey wrote: - Original Message - From: csj [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 22:40 Subject: Re: Debian Investigation Report after Server Compromises On 3. December 2003 at 5:52PM -0800, Vineet Kumar [EMAIL PROTECTED] wrote: * Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]: I have been wondering about the password-sniffing thing, too. If you send a password using ssh, isn't it encrypted? I suppose some debian developer's kid sister could have installed a keystroke logger on the dev machine ... um ... Almost there -- minus the assumption that one needs physical access to a machine to install a keystroke logger. At the risk of perpetuating the telephone game, I recall reading that the developer's machine had been rooted. I didn't hear how, but I don't really see how it matters. I picture an always-on machine in someone's home on a DSL or cable line. Now I'm curious: is it possible to get rooted while on dialup? I'm thinking of a user with access to a slow but dirt cheap dialup connection and so is online for significant stretches, say, eight hours. This also assumes that no trojans or similar have been installed on the user's system. FYI. As one who has caught several virisus. It can happen on dialup and it has always happened to me while downloading virisus definitions from Norton.com. Virus definitions for Linux from norton.com? Hugo. Of course not however I believe a virus is a virus which needs to be modified to infect any OS.The question was about dialup I think it applys. Hoyt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: The lost cramfs patch (was: Debian Investigation Report after Server Compromises)
- Original Message - From: Florian Ernst [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 11:37 AM Subject: Re: The lost cramfs patch (was: Debian Investigation Report after Server Compromises) Hello Benedict! On Thu, Dec 04, 2003 at 12:06:35AM +0100, Benedict Verheyen wrote: Heh. Then it's kind of logical that i don't find any package ;) Well, It's simply that I don't know about a place for downloading it, but this doesn't necessarily mean there isn't any... ;) It's indeed mentioned that you don't need one for a single machine. Anyway, even if you do use an initrd, you can do it without cramfs apparently by chagning the mkinitrd.conf file There you have to change the MKINITRD but i'm not sure what you can put in place of the mkcramfs there. I just read you could use romfs instead of cramfs by using genromfs, but as I actually have never had the need to use initrd at all I simply cannot be sure. Cheers, Flo I found a mail on the developers mailing list that shows how to make an initrd without the cramfs patch. One can use the following in the mkinitrd.conf file: MKIMAGE=genromfs -d %s -f %s This would mean that the lost cramfs patch can remain lost since one doesn't really need it :) Benedict -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
fast - Re: Debian Investigation Report after Server Compromises
On Thu, 4 Dec 2003, csj wrote: Now I'm curious: is it possible to get rooted while on dialup? fastest breakin i know about took about 15 seconds for them (the crackers) to get in and play with that new box ... once that machine went online ... they were already cracked and had to reinstalll and harden before going online when you go live... you're always looking for stuff .. why things are not working properly... c ya alvin - if a cracker sitting on a oc3 at a colo does decide to crack a dialup machine ... they must be awfully bored .. :-0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On 4. December 2003 at 3:22PM -0600, Hoyt Bailey [EMAIL PROTECTED] wrote: From: csj [EMAIL PROTECTED] [...] Now I'm curious: is it possible to get rooted while on dialup? I'm thinking of a user with access to a slow but dirt cheap dialup connection and so is online for significant stretches, say, eight hours. This also assumes that no trojans or similar have been installed on the user's system. FYI. As one who has caught several virisus. It can happen on dialup and it has always happened to me while downloading virisus definitions from Norton.com. I dont believe that norton was infectied. Therefore it came from somewhere else. Hoyt Getting rooted, a targeted attack, is different from getting infected by a virus. The only *n*x viruses I've read about tend to be proof of concept. Of course they could be made part of an attack... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
Hoyt Bailey wrote: - Original Message - From: csj [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 22:40 Subject: Re: Debian Investigation Report after Server Compromises On 3. December 2003 at 5:52PM -0800, Vineet Kumar [EMAIL PROTECTED] wrote: * Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]: I have been wondering about the password-sniffing thing, too. If you send a password using ssh, isn't it encrypted? I suppose some debian developer's kid sister could have installed a keystroke logger on the dev machine ... um ... Almost there -- minus the assumption that one needs physical access to a machine to install a keystroke logger. At the risk of perpetuating the telephone game, I recall reading that the developer's machine had been rooted. I didn't hear how, but I don't really see how it matters. I picture an always-on machine in someone's home on a DSL or cable line. Now I'm curious: is it possible to get rooted while on dialup? I'm thinking of a user with access to a slow but dirt cheap dialup connection and so is online for significant stretches, say, eight hours. This also assumes that no trojans or similar have been installed on the user's system. FYI. As one who has caught several virisus. It can happen on dialup and it has always happened to me while downloading virisus definitions from Norton.com. Virus definitions for Linux from norton.com? Hugo. I dont believe that norton was infectied. Therefore it came from somewhere else. Hoyt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote: * Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]: I have all services locked down to localhost; my only connections to the outside world are mail, news via nntpcached, web via squid... I run Apache but it too is locked down to localhost. My mail is run through my this ... ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd be getting like 10 Svens per day). I do see, from time to time, Apache refusing connections attempts which are generally attacks by Windoze worms. ... and this do not add up. Methinks your apache is not locked down to localhost. 150.140.128.174 - - [03/Dec/2003:08:52:40 -0500] GET /.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831f HTTP/1.1 403 322 - - [Wed Dec 3 08:52:40 2003] [error] [client 150.140.128.174] client denied by server configuration: /var/www/.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831f -- paul The number of UNIX installations has grown to 10, with more expected. (The UNIX Programmer's Manual, 2nd Edition, June 1972) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
* Paul Morgan ([EMAIL PROTECTED]) [031205 14:24]: On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote: * Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]: I have all services locked down to localhost; my only connections to the outside world are mail, news via nntpcached, web via squid... I run Apache but it too is locked down to localhost. My mail is run through my this ... ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd be getting like 10 Svens per day). I do see, from time to time, Apache refusing connections attempts which are generally attacks by Windoze worms. ... and this do not add up. Methinks your apache is not locked down to localhost. 150.140.128.174 - - [03/Dec/2003:08:52:40 -0500] GET /.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831f HTTP/1.1 403 322 - - [Wed Dec 3 08:52:40 2003] [error] [client 150.140.128.174] client denied by server configuration: /var/www/.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831f That's fine. I just wouldn't consider it locked down to localhost if it's listening on any external interface. I'd use the Listen directive to have it bind to only 127.0.0.1:80 (and additionally use iptables to block incoming access). Relying on the server's configuration alone to reject incoming connections is subject to break if the server is broken. If it only ever bound to 127.0.0.1, any attempts to connect to an external address will get RST from TCP before apache ever knows anything about it. good times, Vineet -- http://www.doorstop.net/ -- Extremism in the defense of liberty is no vice. Moderation in the pursuit of justice is no virtue. -- Barry Goldwater signature.asc Description: Digital signature
Re: Debian Investigation Report after Server Compromises
On Fri, 05 Dec 2003 16:28:06 -0800, Vineet Kumar wrote: * Paul Morgan ([EMAIL PROTECTED]) [031205 14:24]: On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote: * Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]: I have all services locked down to localhost; my only connections to the outside world are mail, news via nntpcached, web via squid... I run Apache but it too is locked down to localhost. My mail is run through my this ... ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd be getting like 10 Svens per day). I do see, from time to time, Apache refusing connections attempts which are generally attacks by Windoze worms. ... and this do not add up. Methinks your apache is not locked down to localhost. 150.140.128.174 - - [03/Dec/2003:08:52:40 -0500] GET /.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831f HTTP/1.1 403 322 - - [Wed Dec 3 08:52:40 2003] [error] [client 150.140.128.174] client denied by server configuration: /var/www/.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831f That's fine. I just wouldn't consider it locked down to localhost if it's listening on any external interface. I'd use the Listen directive to have it bind to only 127.0.0.1:80 (and additionally use iptables to block incoming access). Relying on the server's configuration alone to reject incoming connections is subject to break if the server is broken. If it only ever bound to 127.0.0.1, any attempts to connect to an external address will get RST from TCP before apache ever knows anything about it. good times, Vineet -- I appreciate the advice, but I've left it like that out of a somewhat perverse interest in seeing what shows up. I have had some success in getting a couple of people booted off their ISPs. Nice to do a tiny bit of fighting back :) -- paul The number of UNIX installations has grown to 10, with more expected. (The UNIX Programmer's Manual, 2nd Edition, June 1972) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: The lost cramfs patch (was: Debian Investigation Report after Server Compromises)
Hello Benedict! On Thu, Dec 04, 2003 at 12:06:35AM +0100, Benedict Verheyen wrote: Heh. Then it's kind of logical that i don't find any package ;) Well, It's simply that I don't know about a place for downloading it, but this doesn't necessarily mean there isn't any... ;) It's indeed mentioned that you don't need one for a single machine. Anyway, even if you do use an initrd, you can do it without cramfs apparently by chagning the mkinitrd.conf file There you have to change the MKINITRD but i'm not sure what you can put in place of the mkcramfs there. I just read you could use romfs instead of cramfs by using genromfs, but as I actually have never had the need to use initrd at all I simply cannot be sure. Cheers, Flo pgp0.pgp Description: PGP signature
Re: Debian Investigation Report after Server Compromises
on Wed, Dec 03, 2003 at 10:33:34AM -0700, Dr. MacQuigg ([EMAIL PROTECTED]) wrote: After reading the report at http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html and following this newsgroup discussion, I have some very basic questions: 1) What is a sniffed password, and how do they know the attacker used a password that was sniffed, rather than just stolen out of someone's notebook? Through the grapevine: a DD's personal system or another remote system he used was cracked. His password(s) were sniffed from this. His own personal security practices were less than stellar, by his own admission. My understanding is that this was the route by which Debian Project boxes were compromised. 2) Was the breakin done remotely, or by someone with physical access to the machine or network? In the case of the first system(s), this isn't fully clear. 3) How does an attacker with a user-level password gain root access? Through a local root exploit, as is clearly described in the announcement quoted in URLs above, using the kernel brk() buffer overflow. A proof-of-concept exploit (it crashes but doesn't root a system) has been posted to BugTraq. I understand you can call system services that have root access, and provide bad data in those calls that will cause buffer overflows, maybe even a machine crash, but how does a buffer overflow allow root access? It can. In this case, it did. Briefly: you're messing with kernel memory space. That's stuff in ring 0, running with full system privs. You do the math. See BugTraq for more info. http://www.securityfocus.com/archive/1/346180/2003-12-01/2003-12-07/0 http://www.securityfocus.com/archive/1/346175/2003-12-01/2003-12-07/2 Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Backgrounder on the Caldera/SCO vs. IBM and Linux dispute. http://sco.iwethey.org/ pgp0.pgp Description: PGP signature
Re: Debian Investigation Report after Server Compromises
Sorry for the duplicate post. The first one did not appear for a long time, and I assumed it was because I used the wrong email address. -- Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
Paul == Paul Morgan [EMAIL PROTECTED] writes: Paul With regard to your question 3, a buffer overflow exploit is Paul always a stack exploit and is designed to execute arbitrary code Paul with the called program's privilege. But this time it is an integer overflow, not a buffer overflow. The idea is that when brk() is called, the kernel forgot to check whether this will result into the memory map pasting the end of address space used for the processes. The problem is that after pasting the end of the address space, it starts to be the kernel space, mapping all the physical memory of the computer directly. I.e., it includes all the memory of the kernel and also all the memory of all other processes. Once you get to this point, it just requires a little bit more imagination before you can write to all the memory of the computer directly, skipping all the protection mechanism of the kernel. Regards, Isaac. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
Isaac == Isaac To [EMAIL PROTECTED] writes: Paul == Paul Morgan [EMAIL PROTECTED] writes: Paul With regard to your question 3, a buffer overflow exploit is Paul always a stack exploit and is designed to execute arbitrary code Paul with the called program's privilege. Isaac But this time it is an integer overflow, not a buffer Isaac overflow. The idea is that when brk() is called, the kernel Isaac forgot to check whether this will result into the memory map Isaac pasting the end of address space used for the processes. The Isaac problem is that after pasting the end of the address space, it Isaac starts to be the kernel space, mapping all the physical memory of Isaac the computer directly. I.e., it includes all the memory of the Isaac kernel and also all the memory of all other processes. Once you Isaac get to this point, it just requires a little bit more imagination Isaac before you can write to all the memory of the computer directly, Isaac skipping all the protection mechanism of the kernel. All the pasting should really be passing... stupid me non-native English speaker... Regards, Isaac. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: keys - Re: Debian Investigation Report after Server Compromises
i never did undestand why, people wanna run rootkits once they got in Usually they want to use the rooted machine to send spam, run DoS bots, or to cover their trail while cracking other, more interesting machines. I agree that when cracking a DD's machine in order to get his Debian password it would make sense to get what you want, clean up, and leave. -- John Hasler [EMAIL PROTECTED] Dancing Horse Hill Elmwood, Wisconsin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On 3. December 2003 at 5:52PM -0800, Vineet Kumar [EMAIL PROTECTED] wrote: * Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]: I have been wondering about the password-sniffing thing, too. If you send a password using ssh, isn't it encrypted? I suppose some debian developer's kid sister could have installed a keystroke logger on the dev machine ... um ... Almost there -- minus the assumption that one needs physical access to a machine to install a keystroke logger. At the risk of perpetuating the telephone game, I recall reading that the developer's machine had been rooted. I didn't hear how, but I don't really see how it matters. I picture an always-on machine in someone's home on a DSL or cable line. Now I'm curious: is it possible to get rooted while on dialup? I'm thinking of a user with access to a slow but dirt cheap dialup connection and so is online for significant stretches, say, eight hours. This also assumes that no trojans or similar have been installed on the user's system. [...] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Thu, Dec 04, 2003 at 12:40:42PM +0800, csj wrote: Now I'm curious: is it possible to get rooted while on dialup? Sure. An ip address is an ip address. It's just slower. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
csj writes: Now I'm curious: is it possible to get rooted while on dialup? Of course. It's a little harder because the dialup gets a different IP number on each connection, but not impossible. Dialups are rarely attacked because they are uninteresting to most crackers due to their slow speed and intermittent connection. -- John Hasler [EMAIL PROTECTED] Dancing Horse Hill Elmwood, Wisconsin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
* csj ([EMAIL PROTECTED]) [031204 08:37]: On 3. December 2003 at 5:52PM -0800, Vineet Kumar [EMAIL PROTECTED] wrote: * Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]: I have been wondering about the password-sniffing thing, too. If you send a password using ssh, isn't it encrypted? I suppose some debian developer's kid sister could have installed a keystroke logger on the dev machine ... um ... Almost there -- minus the assumption that one needs physical access to a machine to install a keystroke logger. At the risk of perpetuating the telephone game, I recall reading that the developer's machine had been rooted. I didn't hear how, but I don't really see how it matters. I picture an always-on machine in someone's home on a DSL or cable line. Now I'm curious: is it possible to get rooted while on dialup? Absolutely. What about it would make it impossible? The only reason I mentioned an always-on connection is that it's more likely, since attackers have more opportunity. Also, with dynamic address on a dial-up, the attacker will have a more difficult time (though certainly not impossible) doing anything useful (abuseful?) with your box. good times, Vineet -- http://www.doorstop.net/ -- Microsoft has argued that open source is bad for business, but you have to ask, Whose business? Theirs, or yours?--Tim O'Reilly signature.asc Description: Digital signature
Re: Debian Investigation Report after Server Compromises
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Dec 04, 2003 at 12:40:42PM +0800, csj wrote: Now I'm curious: is it possible to get rooted while on dialup? Yes. However, being on dialup adds some additional difficulties for an attacker: 1) Most dialup systems have big, dynamic pools with IPs assigned randomly, or a bunch of lines on the same phone number and each modem is assigned an IP. So it's unpredictable what IP any particular system will actually get for a particular connection, other than it being within a certain range. 2) Most bandwidth you're going to get out of it is about 37kb/sec. 3) User is likely saturating that link. Note this might not slow down a really, really determined individual. I'm thinking of a user with access to a slow but dirt cheap dialup connection and so is online for significant stretches, say, eight hours. If your computer can communicate externally through it, there's always the possibility that it can be compromised through it. User I/O, data from external media, network connections, dialup connections, etc. is what I mean by external communication. Everything after that is playing the numbers and betting it all every time. With any network connection, you should follow some basic rules. Don't leave services you don't use installed. Don't run daemons intended only for local use on the external interface. Someone else here might have some good URL's handy; also try Google. - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/z4OgUzgNqloQMwcRAkX5AKDGHjjs2GizbyB5J7YhZcvjsIrBfgCgibEo +nRnbdTXYcxqSIXUVk6Y8I8= =hZid -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, 03 Dec 2003 21:46:21 -0500, Carl Fink wrote: If the system is rooted, it would be trivial to write a replacement for ssh (GPG, etc.) that copies your private keys onto the hard drive for later retrieval. Definition of trivial is: I, a bad programmer, could do it. Well bad in this case could mean either evil or lousy :) -- paul The number of UNIX installations has grown to 10, with more expected. (The UNIX Programmer's Manual, 2nd Edition, June 1972) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
- Original Message - From: csj [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 22:40 Subject: Re: Debian Investigation Report after Server Compromises On 3. December 2003 at 5:52PM -0800, Vineet Kumar [EMAIL PROTECTED] wrote: * Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]: I have been wondering about the password-sniffing thing, too. If you send a password using ssh, isn't it encrypted? I suppose some debian developer's kid sister could have installed a keystroke logger on the dev machine ... um ... Almost there -- minus the assumption that one needs physical access to a machine to install a keystroke logger. At the risk of perpetuating the telephone game, I recall reading that the developer's machine had been rooted. I didn't hear how, but I don't really see how it matters. I picture an always-on machine in someone's home on a DSL or cable line. Now I'm curious: is it possible to get rooted while on dialup? I'm thinking of a user with access to a slow but dirt cheap dialup connection and so is online for significant stretches, say, eight hours. This also assumes that no trojans or similar have been installed on the user's system. FYI. As one who has caught several virisus. It can happen on dialup and it has always happened to me while downloading virisus definitions from Norton.com. I dont believe that norton was infectied. Therefore it came from somewhere else. Hoyt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
* Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]: I have all services locked down to localhost; my only connections to the outside world are mail, news via nntpcached, web via squid... I run Apache but it too is locked down to localhost. My mail is run through my this ... ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd be getting like 10 Svens per day). I do see, from time to time, Apache refusing connections attempts which are generally attacks by Windoze worms. ... and this do not add up. Methinks your apache is not locked down to localhost. good times, Vineet -- http://www.doorstop.net/ -- http://www.anti-dmca.org/ signature.asc Description: Digital signature
Re: Debian Investigation Report after Server Compromises
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 04:11:33PM -0500, Paul Morgan wrote: Ther is always a conflict between security and openness. MS's approach has always been not to say anything until a fix has been propagated; they are often criticized for that, but I'm sure they'd be deluged in lawsuits from compromised system owners if they advertised the exploit to bad guys before they had a fix. Microsoft could easily sidestep those by pointing to their EULA: You agree not to sue them due to faults in their software. - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/zYpXUzgNqloQMwcRAvnNAJ0V6Ehrk6oydphWjyCnZZygciUawwCgx3W9 urJRNsxKgdRdxqNyR3wG9Wk= =FWZX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 04:16:44PM -0500, Greg Folkert wrote: On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote: I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? DMCA. Nuff said. Expand, please? This is the digital equivalent of the classic for-the-children bullshit copout, or the more contemporary (and hopefully temporary) homeland security bullshit copout. - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/zYrDUzgNqloQMwcRAtpKAKCSuu5imwDFmS5ZVnKURsqNSSLeVwCgrpdJ ajOy8jzzwLx69QaKsC+rYGo= =9+MR -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 09:41:15PM +, Oliver Elphick wrote: Because there will be lots of people who haven't yet had the chance to upgrade. They won't thank us for making an exploit available to every would-be cracker. Why should we cater to people who can't be bothered to help themselves? Leaving readily compromisable systems out there does the net a disservice. - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/zYsRUzgNqloQMwcRAqigAKCnleOGmHs84eXzYnUhm8LI+tyAHQCcDquZ zC+LjM/edtdJoSxNyNfivkE= =o8Oo -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 06:17:44PM -0500, Paul Morgan wrote: It would be a lot less stable and secure if debian started publishing exploits. The announcement explains quite clearly what happened and how to protect your system. Why does BugTraq do it? Because it forces quick action. Granted, this isn't a problem for a self-motivated project like Debian. However, Debian is looked up to quite a bit in the software community, so shouldn't Debian be setting the example here? - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/zYvXUzgNqloQMwcRAoIxAJ9yA28nwN516MW8P8Pal9YtP/V1FgCg0OKA 2cjPzD+vf96ZjmemKA4c9do= =Wa7a -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, 2003-12-03 at 07:04, Paul Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 09:41:15PM +, Oliver Elphick wrote: Because there will be lots of people who haven't yet had the chance to upgrade. They won't thank us for making an exploit available to every would-be cracker. Why should we cater to people who can't be bothered to help themselves? Leaving readily compromisable systems out there does the net a disservice. Suppose I go off for two weeks holiday? I'm the only one who can change my system's kernel, but I leave it on because it is the gateway for everyone else. The day after I leave, some idiot publishes details of this exploit and for 13 days my system is vulnerable, before I even hear about the problem, let alone have the chance to fix it. There is not yet a Debian package of kernel 2.4.23, so anyone who can't downgrade to 2.4.18 must fetch his own kernel source and build it; which may be beyond the abilities of many of those who are vulnerable. -- Oliver Elphick[EMAIL PROTECTED] Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C What shall we then say to these things? If God be for us, who can be against us? Romans 8:31 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
Hmmm. A friend of mine works at a company with over 500 machines in the field. Many of them are customer facing. There are more than 1 configuration on the servers. He has to compile each config and run it through a dev/test and a full regression before he can update any production machines int he field. Has he started the upgrade? yes, 2 of the kernels are in test now, 1 is in regression already. It's likely to be a month or so before all the kernels are ready, upgraded and reboot time scheduled for maintenance windows. And yes he's very bothered by this. We talked about it and agree that it's much preferable that those who might want to screw with his machines might have 1 less attack available. What would telling the world accomplish? Would that make the world a safer place? Would holding the information back keep one or more pissants at bay a while longer? Your argument sounds like my 6yr old doing a I want it now, I don't care what your reasons are soon followed by a temper tantrum. Thus spake Paul Johnson ([EMAIL PROTECTED]): On Tue, Dec 02, 2003 at 09:41:15PM +, Oliver Elphick wrote: Because there will be lots of people who haven't yet had the chance to upgrade. They won't thank us for making an exploit available to every would-be cracker. Why should we cater to people who can't be bothered to help themselves? Leaving readily compromisable systems out there does the net a disservice. -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] :wq! --- Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS ALONE. I speak for no-one else. Life is not a destination, it's a journey. Microsoft produces 15 car pileups on the highway. Don't stop traffic to stand and gawk at the tragedy. signature.asc Description: Digital signature
Re: Debian Investigation Report after Server Compromises
On Wed, 2003-12-03 at 02:03, Paul Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 04:16:44PM -0500, Greg Folkert wrote: On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote: I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? DMCA. Nuff said. Expand, please? This is the digital equivalent of the classic for-the-children bullshit copout, or the more contemporary (and hopefully temporary) homeland security bullshit copout. DMCA sort of states: It is illegal to subvert any kind of protection to keep you out of things or publish the information on how-to do this... should you live in the USA. If you want more info, I'll cut and paste the relevant parts of the DMCA. Come on, with the way Lexmark sued replacement cartridge manufactures because the toner cartridge uses electronic measures to communicate to the printer... Geez, is it *so* hard to understand this perverseness things can come to? Again, if more info is needed, I'll be happy to Cut'n'Paste the relevant parts. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: Debian Investigation Report after Server Compromises
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Dec 03, 2003 at 09:16:15AM -0500, Greg Folkert wrote: On Wed, 2003-12-03 at 02:03, Paul Johnson wrote: On Tue, Dec 02, 2003 at 04:16:44PM -0500, Greg Folkert wrote: On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote: I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? DMCA. Nuff said. Expand, please? This is the digital equivalent of the classic for-the-children bullshit copout, or the more contemporary (and hopefully temporary) homeland security bullshit copout. DMCA sort of states: It is illegal to subvert any kind of protection to keep you out of things or publish the information on how-to do this... should you live in the USA. Of course, but how does it affect Debian in this matter? That's what I wanted to know...I don't think the DMCA is criminal law. - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/zfH3UzgNqloQMwcRAiCAAKC4d5bHkyRYsuCg97KY/SBI+oKP/ACdGMCU UrmBjwg3kj0lIxiYu874lpA= =IP+m -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, 2003-12-03 at 02:04, Paul Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 09:41:15PM +, Oliver Elphick wrote: Because there will be lots of people who haven't yet had the chance to upgrade. They won't thank us for making an exploit available to every would-be cracker. Why should we cater to people who can't be bothered to help themselves? Leaving readily compromisable systems out there does the net a disservice. Yes, it does do a dis-service. But, since when does it make it right to add exposure to Bank, Govt, Hospital (etc..) systems, when a delay in script-kiddie info would allow things to be fixed before it is common knowledge. Sure the Black-Hats already know... but there is little we can do about them. Script-kiddies on the other hand goto a few [EMAIL PROTECTED] 51735 (cracker sites) and D/L the tools and code to exploit... usually in 10 minutes from reading a list of possible candidates from the same sites... have already gotten in and made your credit-card their slave. Come on Paul, think in a common-sense approach, lately this whole (set) Debian Lists is becoming nothing more than a sounding board for Meta-Moderators... saying pooh-pooh to anyone on the dissenting side. Real life requires real thinking, smartly... that is why Debian Snobbians (myself included in that class) have a hard time dealing with people on a level playing field. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: Debian Investigation Report after Server Compromises
On Wed, 2003-12-03 at 02:08, Paul Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 06:17:44PM -0500, Paul Morgan wrote: It would be a lot less stable and secure if debian started publishing exploits. The announcement explains quite clearly what happened and how to protect your system. Why does BugTraq do it? Because it forces quick action. Granted, this isn't a problem for a self-motivated project like Debian. However, Debian is looked up to quite a bit in the software community, so shouldn't Debian be setting the example here? BugTraq does delay disclosure under threat from DMCA for Proprietary systems (Microsoft seems to stand out here), there have even been comments from them on it. So get a life Paul... a small delay is better than adding exposure to many systems that have diligent people trying to keep up with those exploits. No I am not talking about those that haven't patched RedHat 6.2 since the original install from the CD. I am talking about people like me, that take a couple of days to schedule a critical system reboot (when it is a Kernel issue like this one)... we can't just Flip the switch... we could(will) be sued or back-billed for down-time on some of these systems. Think in real-life terms not personal preferences. Sure I'd like to know, but right this second maybe not. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: Debian Investigation Report after Server Compromises
on Wed, Dec 03, 2003 at 09:16:15AM -0500, Greg Folkert ([EMAIL PROTECTED]) wrote: On Wed, 2003-12-03 at 02:03, Paul Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 04:16:44PM -0500, Greg Folkert wrote: On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote: I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? DMCA. Nuff said. Expand, please? This is the digital equivalent of the classic for-the-children bullshit copout, or the more contemporary (and hopefully temporary) homeland security bullshit copout. DMCA sort of states: It is illegal to subvert any kind of protection to keep you out of things or publish the information on how-to do this... should you live in the USA. Good point. Though the text of the statute is sufficiently vague that defining an operating system as copyright protection system is debatable. If you want more info, I'll cut and paste the relevant parts of the DMCA. Come on, with the way Lexmark sued replacement cartridge manufactures because the toner cartridge uses electronic measures to communicate to the printer... Geez, is it *so* hard to understand this perverseness things can come to? Lexmark lost that one, fortunately. Not without a lot of trouble. http://www.arstechnica.com/archive/news/1067455401.html Again, if more info is needed, I'll be happy to Cut'n'Paste the relevant parts. http://www4.law.cornell.edu/uscode/17/1201.html Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home.netcom.com/ What Part of Gestalt don't you understand? There is no K5 Cabal: http://www.kuro5hin.org/ pgp0.pgp Description: PGP signature
Re: Debian Investigation Report after Server Compromises
on Tue, Dec 02, 2003 at 01:12:40PM -0600, Alex Malinovich ([EMAIL PROTECTED]) wrote: On Tue, 2003-12-02 at 11:31, Greg Folkert wrote: Shoulda Been: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html What a wanker I am. No, Peter no comment needed. Thanks for the link. It certainly makes for interesting reading. Though I am somewhat concerned about the following bit from the message: Please understand that we cannot give away the used exploit to random people who we don't know. So please don't ask us about it. I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? The security flaw is identified. An in-the-wild exploit is disclosed. There is a hole, and you're currently at risk. There's nothing more to be gained by contributing to the awareness of the exploit for the flaw while people are still patching their systems. I'm one of those who's got all his systems on safe kernels, even if this means I don't have full use. NICs on one box aren't supported by 2.4.18, and building 2.4.23 is turning into a bitch. Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Backgrounder on the Caldera/SCO vs. IBM and Linux dispute. http://sco.iwethey.org/ pgp0.pgp Description: PGP signature
Re: Debian Investigation Report after Server Compromises
on Tue, Dec 02, 2003 at 11:08:07PM -0800, Paul Johnson ([EMAIL PROTECTED]) wrote: On Tue, Dec 02, 2003 at 06:17:44PM -0500, Paul Morgan wrote: It would be a lot less stable and secure if debian started publishing exploits. The announcement explains quite clearly what happened and how to protect your system. Why does BugTraq do it? Because it forces quick action. Often (though not always) in a defanged implementation which demonstrates the problem without providing a useful exploit tool. The problem has been clearly demonstrated. /me hands Paul a clue. Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home.netcom.com/ What Part of Gestalt don't you understand? GNU/Linux web browsing mini review: Galeon. Kicks ass. http://galeon.sourceforge.org/ pgp0.pgp Description: PGP signature
Re: Debian Investigation Report after Server Compromises
I'm one of those who's got all his systems on safe kernels, even if this means I don't have full use. NICs on one box aren't supported by 2.4.18, and building 2.4.23 is turning into a bitch. Is there a page anywhere (if not, there should be one) or info on what type of patches are added to a debianized kernel and where to find them. Another user on this list was also having trouble compiling a 2.4.23 kernel which needed an initrd and thus the cramfs patch. I tried searching for this patch but i haven't found where it resides. I looked using google and checked the /usr/share/doc/kernel-source dir but didn't find anything useful. So there are some possibilities: 1. Either this info just isn't there because you don't need cramfs for an initrd 2. The info is missing but you need the cramfs patch 3. I'm blind or don't know how to look for info :) Benedict -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
Hello Benedict! On Wed, Dec 03, 2003 at 04:25:21PM +0100, Benedict Verheyen wrote: Is there a page anywhere (if not, there should be one) or info on what type of patches are added to a debianized kernel and where to find them. I don't know about a page, but I find a long list in /usr/share/doc/kernel-image-`uname -r` You can find the patches themselves in the Debian archives (.diff.gz), and recently there are kernel-patch-debian debs available which contain all the applied patches. Cheers, Flo pgp0.pgp Description: PGP signature
The lost cramfs patch (was: Debian Investigation Report after Server Compromises)
Original Message - From: Florian Ernst [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:31 PM Subject: Re: Debian Investigation Report after Server Compromises Hello Benedict! On Wed, Dec 03, 2003 at 04:25:21PM +0100, Benedict Verheyen wrote: Is there a page anywhere (if not, there should be one) or info on what type of patches are added to a debianized kernel and where to find them. I don't know about a page, but I find a long list in /usr/share/doc/kernel-image-`uname -r` You can find the patches themselves in the Debian archives (.diff.gz), and recently there are kernel-patch-debian debs available which contain all the applied patches. Cheers, Flo Flo, thanks for the info. I checked the kernel-image dir and indeed i found a lot of files there. However, i only found one reference to cramfs and it was in README.Debian.1st.gz: Quote: * Added initrd support for cramfs in init/do_mounts.c * Set time fields to zero in fs/cramfs/inode.c I didn't find anything regarding cramfs patches so i guess the changes necessary for Debian are located in the 2 files described above and there probably isn't a patch that one can download to do this. Now, this should be a problem in cramfs isn't needed by a Debian initrd. That i don't know. Then i went on to search in the kernel-source-2.4.21 directory. The kernel-source-2.4.21 directory contains also a lot of files and there are some more comments on cramfs. The debian.README.gz file has more info on initrd: Quote: ... and make sure that you have applied the cramfs initrd patch to the kernel sources (or modified mkinitrd config not to create a cramfs initrd) The cramfs initrd patch is shipped with Debian Kernel sources That's all i've found on cramfs. The person on this list was using LVM which has it's own initrd creating script (lvmcreate_initrd) and i don't think it uses cramfs so in that case he should be ok to create a kernel from the vanilla sources. In the other case, he could adjust /etc/mkinitrd/mkinitrd.conf to not use cramfs when creating an initrd by changing the MKIMAGE setting in mkinitrd.conf. Not sure what you could add instead. I've seen references to but i'm not sure if this produces a working kernel: MKIMAGE='genromfs -f /dev/fd/1 -d %s | gzip -9 %s' I then found http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=149236 Quote: Please read th description of initrd-tools. It only works with Debian. The patch is listed in the README file of kernel-source. Herbert Xu Well, i went over to the kernel-sources-2.4.21 and i checked the README (i think he means README.gz) and i didn't find any reference too cramfs either. The original bug filer apparently also had problems with the rather obscure references to the cramfs patch that nobody seems able to find. It's bad timing as a lot of people want to compile vanilla kernels sources yet are blocked because they can't find any link to that patch. They then refer too: kernel-package_8.005.dsc to pool/main/k/kernel-package/kernel-package_8.005.dsc kernel-package_8.005.tar.gz to pool/main/k/kernel-package/kernel-package_8.005.tar.gz kernel-package_8.005_all.deb to pool/main/k/kernel-package/kernel-package_8.005_all.deb I then tried to see if i could use apt-cache search to find something regarding cramfs but it ended up with cramfsprogs and mkcramfs. apt-cache search kernel-patch | grep cramfs doesn't result in anything. It seems as if the Debian archives is the only place where you can get this patch. So: Where is this patch hiding and how can you get it? Thanks, Benedict -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Tue, 02 Dec 2003 23:08:07 -0800, Paul Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 06:17:44PM -0500, Paul Morgan wrote: It would be a lot less stable and secure if debian started publishing exploits. The announcement explains quite clearly what happened and how to protect your system. Why does BugTraq do it? Because it forces quick action. Granted, this isn't a problem for a self-motivated project like Debian. However, Debian is looked up to quite a bit in the software community, so shouldn't Debian be setting the example here? Paul, I think debian *is* setting the example by not further propagating the exploit by publishing it. -- paul I think that gay marriage is something that should be between a man and a woman. -- Arnold Schwarzenegger, Governor of California -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, 03 Dec 2003 09:57:55 +, Oliver Elphick wrote: Suppose I go off for two weeks holiday? I'm the only one who can change my system's kernel, but I leave it on because it is the gateway for everyone else. The day after I leave, some idiot publishes details of this exploit and for 13 days my system is vulnerable, before I even hear about the problem, let alone have the chance to fix it. There is not yet a Debian package of kernel 2.4.23, so anyone who can't downgrade to 2.4.18 must fetch his own kernel source and build it; which may be beyond the abilities of many of those who are vulnerable. Excellent example :) -- paul I think that gay marriage is something that should be between a man and a woman. -- Arnold Schwarzenegger, Governor of California -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Tue, 02 Dec 2003 23:01:43 -0800, Paul Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Dec 02, 2003 at 04:11:33PM -0500, Paul Morgan wrote: Ther is always a conflict between security and openness. MS's approach has always been not to say anything until a fix has been propagated; they are often criticized for that, but I'm sure they'd be deluged in lawsuits from compromised system owners if they advertised the exploit to bad guys before they had a fix. Microsoft could easily sidestep those by pointing to their EULA: You agree not to sue them due to faults in their software. Not just MS. In the early 70s I used to put a disclaimer at the beginning of my source code: While every effort has been made to test this program to its limits, no warranty, express or implied, is given as to the adequate functioning thereof. : -- paul I think that gay marriage is something that should be between a man and a woman. -- Arnold Schwarzenegger, Governor of California -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
* Paul Johnson ([EMAIL PROTECTED]) [031202 23:01]: On Tue, Dec 02, 2003 at 04:11:33PM -0500, Paul Morgan wrote: Ther is always a conflict between security and openness. MS's approach has always been not to say anything until a fix has been propagated; they are often criticized for that, but I'm sure they'd be deluged in lawsuits from compromised system owners if they advertised the exploit to bad guys before they had a fix. Microsoft could easily sidestep those by pointing to their EULA: You agree not to sue them due to faults in their software. Sidestepping lawsuits from a million angry customers isn't really a win. They are, after all, a business -- one with customers, no less. The way to keep your customers paying for upgrades isn't to piss them off and then hide behind your EULA; it's to keep their customers happy. If their customers can hear about a problem only when it's been fixed, it makes Microsoft look like the good guys: Hey, by the way, we fixed this problem you didn't even know about. If there's an exploit in the wild before a fix is available, the PHBs hear it on the local news first, which is not good. It's not about lawsuits, it's just simple business sense -- you have to keep your customers happy. good times, Vineet -- http://www.doorstop.net/ -- One nation, indivisible, with equality, liberty, and justice for all. signature.asc Description: Digital signature
Re: Debian Investigation Report after Server Compromises
On Wed, 03 Dec 2003 16:25:21 +0100, Benedict Verheyen wrote: I'm one of those who's got all his systems on safe kernels, even if this means I don't have full use. NICs on one box aren't supported by 2.4.18, and building 2.4.23 is turning into a bitch. Is there a page anywhere (if not, there should be one) or info on what type of patches are added to a debianized kernel and where to find them. Another user on this list was also having trouble compiling a 2.4.23 kernel which needed an initrd and thus the cramfs patch. I tried searching for this patch but i haven't found where it resides. I looked using google and checked the /usr/share/doc/kernel-source dir but didn't find anything useful. So there are some possibilities: 1. Either this info just isn't there because you don't need cramfs for an initrd 2. The info is missing but you need the cramfs patch 3. I'm blind or don't know how to look for info :) Benedict For patches and modifications applied to a kernel source, DL and unpack the source and read src/linux/README.Debian -- paul I think that gay marriage is something that should be between a man and a woman. -- Arnold Schwarzenegger, Governor of California -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
After reading the report at http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html and following this newsgroup discussion, I have some very basic questions: 1) What is a sniffed password, and how do they know the attacker used a password that was sniffed, rather than just stolen out of someone's notebook? 2) Was the breakin done remotely, or by someone with physical access to the machine or network? I thought that sniffing required physical access to a network over which unencrypted data was being transferred. Are the remote logins to Debian servers unencrypted? 3) How does an attacker with a user-level password gain root access? I understand you can call system services that have root access, and provide bad data in those calls that will cause buffer overflows, maybe even a machine crash, but how does a buffer overflow allow root access? I know there is a deep technical explanation for this, but I'm hoping someone can explain it in simple terms, or maybe point me to a good article or book chapter. -- Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: The lost cramfs patch (was: Debian Investigation Report after Server Compromises)
Hello Benedict! On Wed, Dec 03, 2003 at 08:08:05PM +0100, Benedict Verheyen wrote: So: Where is this patch hiding and how can you get it? I don't know about a place where you could download it from, but you can easily extract it from init/do_mounts.c from your Debian kernel-sources, just take everything matching 'cramfs' keeping any structures intact. You can find an outline on this page http://www.bolli.homeip.net/bb/cgi/blosxom.cgi/software/debian at 'Linux mit cramfs als initrd' (you won't need to understand German, though), but also see http://www.debian.org/doc/manuals/reference/ch-kernel.en.html Actually you don't _need_ this patch at all. Cheers, Flo pgp0.pgp Description: PGP signature
Re: Debian Investigation Report after Server Compromises
- Original Message - From: Paul Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 6:01 PM Subject: Re: Debian Investigation Report after Server Compromises On Wed, 03 Dec 2003 16:25:21 +0100, Benedict Verheyen wrote: I'm one of those who's got all his systems on safe kernels, even if this means I don't have full use. NICs on one box aren't supported by 2.4.18, and building 2.4.23 is turning into a bitch. Is there a page anywhere (if not, there should be one) or info on what type of patches are added to a debianized kernel and where to find them. Another user on this list was also having trouble compiling a 2.4.23 kernel which needed an initrd and thus the cramfs patch. I tried searching for this patch but i haven't found where it resides. I looked using google and checked the /usr/share/doc/kernel-source dir but didn't find anything useful. So there are some possibilities: 1. Either this info just isn't there because you don't need cramfs for an initrd 2. The info is missing but you need the cramfs patch 3. I'm blind or don't know how to look for info :) Benedict For patches and modifications applied to a kernel source, DL and unpack the source and read src/linux/README.Debian -- paul Yes, i checked that already. Only 2 lines about cramfs but no link to where one can download the path. Benedict -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, 2003-12-03 at 11:33, Dr. MacQuigg wrote: After reading the report at http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html and following this newsgroup discussion, I have some very basic questions: 1) What is a sniffed password, and how do they know the attacker used a password that was sniffed, rather than just stolen out of someone's notebook? (NOTE: I am by no means an expert on any of this, so don't take this as a definitive answer on the subjects.) I'm not sure of the specifics of how the attacker obtained the passwords, but you can sniff a password both over a network connection as well as locally. For example, using a keystroke logger, you could get the password as a user was typing it in. 2) Was the breakin done remotely, or by someone with physical access to the machine or network? I thought that sniffing required physical access to a network over which unencrypted data was being transferred. Are the remote logins to Debian servers unencrypted? From what I understood of the description, I had thought that it was done remotely. All of the Debian servers, as far as I know, only allow ssh (encrypted) connections. I don't think any of them will allow a regular old telnet connection which would send the password out in the open. 3) How does an attacker with a user-level password gain root access? I understand you can call system services that have root access, and provide bad data in those calls that will cause buffer overflows, maybe even a machine crash, but how does a buffer overflow allow root access? I know there is a deep technical explanation for this, but I'm hoping someone can explain it in simple terms, or maybe point me to a good article or book chapter. Well, in the case of buffer overflows, here's basically what happens: Lets say memory blocks 1 - 100 are reserved for a program called myprogram. If that program doesn't do appropriate checking, it's possible to feed it enough data that it'll start writing in addresses beyond 100. (Say if you pass it 100 blocks worth of data, blocks 101 through 110 would end up being put into unprotected memory.) In this case, it's possible to send malicious executable code into those memory addresses that could then be executed by the system letting you do just about anything you want such as giving you root access. Buffer overflows are by no means the ONLY way to go about this, but they've received a lot of attention in the last year or two in various arenas. -- Alex Malinovich Support Free Software, delete your Windows partition TODAY! Encrypted mail preferred. You can get my public key from any of the pgp.net keyservers. Key ID: A6D24837 signature.asc Description: This is a digitally signed message part
Re: The lost cramfs patch (was: Debian Investigation Report after Server Compromises)
- Original Message - From: Florian Ernst [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:13 PM Subject: Re: The lost cramfs patch (was: Debian Investigation Report after Server Compromises) Hello Benedict! On Wed, Dec 03, 2003 at 08:08:05PM +0100, Benedict Verheyen wrote: So: Where is this patch hiding and how can you get it? I don't know about a place where you could download it from, but you can easily extract it from init/do_mounts.c from your Debian kernel-sources, just take everything matching 'cramfs' keeping any structures intact. Heh. Then it's kind of logical that i don't find any package ;) You can find an outline on this page http://www.bolli.homeip.net/bb/cgi/blosxom.cgi/software/debian at 'Linux mit cramfs als initrd' (you won't need to understand German, though), but also see http://www.debian.org/doc/manuals/reference/ch-kernel.en.html Actually you don't _need_ this patch at all. It's indeed mentioned that you don't need one for a single machine. Anyway, even if you do use an initrd, you can do it without cramfs apparently by chagning the mkinitrd.conf file There you have to change the MKINITRD but i'm not sure what you can put in place of the mkcramfs there. Regards, Benedict -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
(Not speaking for Debian at all.) Dr. MacQuigg [EMAIL PROTECTED] writes: 1) What is a sniffed password, and how do they know the attacker used a password that was sniffed, rather than just stolen out of someone's notebook? It sounds like someone's personal machine got broken into, and a keystroke logger installed. Then they did something like upload a package and typed their password on the Debian machines, and the attacker was able to capture the username and password. 2) Was the breakin done remotely, or by someone with physical access to the machine or network? I thought that sniffing required physical access to a network over which unencrypted data was being transferred. Are the remote logins to Debian servers unencrypted? I think there's only ssh. (So if you broke into the machine and installed a compromised ssh binary, that could work to steal a password too.) Captured password might be more correct than sniffed. But I haven't heard anything that suggests the attacker had physical access to anything. 3) How does an attacker with a user-level password gain root access? In this case, there was a bug in the kernel that let a user process do pretty much anything it wanted to, assuming I understand its implications correctly. I understand you can call system services that have root access, and provide bad data in those calls that will cause buffer overflows, maybe even a machine crash, but how does a buffer overflow allow root access? I know there is a deep technical explanation for this, but I'm hoping someone can explain it in simple terms, or maybe point me to a good article or book chapter. The usual way this happens is that you have a daemon running as root. Somewhere there's data being read, and past the end of the data is a pointer saying where the function should go when it returns. So a typical buffer overflow attack knows where it expects to be in memory, and overwrites a fixed-length buffer with more than the expected amount of data, rewriting the return pointer to point to some code that also lives on the stack; when the read_input() function returns, instead of returning to its normal caller, it returns to the attack code, which is now running as root. (But note that this is different from the exploit used to gain root on the Debian servers; there are multiple sorts of vulnerabilities and therefore multiple exploits.) -- David Maze [EMAIL PROTECTED] http://www.mit.edu/~dmaze/ Theoretical politics is interesting. Politicking should be illegal. -- Abra Mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
Dr. MacQuigg writes: What is a sniffed password A password gotten by reading each character as it is typed on the keyboard or by intercepting an unencrypted transmission. In this case it was the former. ...and how do they know the attacker used a password that was sniffed, rather than just stolen out of someone's notebook? They know whose password it was and that his machine was rooted. Was the breakin done remotely, or by someone with physical access to the machine or network? A developer's machine was rooted remotely, his password was sniffed by reading the keyboard, and the password was used to log into the Debian machines remotely. Are the remote logins to Debian servers unencrypted? No. They are encrypted using ssh. However, the attacker had a valid password and username so that didn't help. How does an attacker with a user-level password gain root access? In this case by exploiting a bug in sbrk(). The kernel developers knew about the bug but did not believe it to be exploitable. They were wrong. ...how does a buffer overflow allow root access? In some cases, by allowing you to overwrite a return address on the stack of a suid program with the address of your code. This exploit is rather more subtle than that, evidently. -- John Hasler [EMAIL PROTECTED] (John Hasler) Dancing Horse Hill Elmwood, WI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
After reading the report at http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html and following this newsgroup discussion, I have some very basic questions: 1) What is a sniffed password, and how do they know the attacker used a password that was sniffed, rather than just stolen out of someone's notebook? 2) Was the breakin done remotely, or by someone with physical access to the machine or network? I thought that sniffing required physical access to a network over which unencrypted data was being transferred. Are the remote logins to Debian servers unencrypted? 3) How does an attacker with a user-level password gain root access? I understand you can call system services that have root access, and provide bad data in those calls that will cause buffer overflows, maybe even a machine crash, but how does a buffer overflow allow root access? I know there is a deep technical explanation for this, but I'm hoping someone can explain it in simple terms, or maybe point me to a good article or book chapter. -- Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, 03 Dec 2003 10:33:34 -0700, Dr. MacQuigg wrote: After reading the report at http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html and following this newsgroup discussion, I have some very basic questions: 1) What is a sniffed password, and how do they know the attacker used a password that was sniffed, rather than just stolen out of someone's notebook? 2) Was the breakin done remotely, or by someone with physical access to the machine or network? I thought that sniffing required physical access to a network over which unencrypted data was being transferred. Are the remote logins to Debian servers unencrypted? 3) How does an attacker with a user-level password gain root access? I understand you can call system services that have root access, and provide bad data in those calls that will cause buffer overflows, maybe even a machine crash, but how does a buffer overflow allow root access? I know there is a deep technical explanation for this, but I'm hoping someone can explain it in simple terms, or maybe point me to a good article or book chapter. -- Dave With regard to your question 3, a buffer overflow exploit is always a stack exploit and is designed to execute arbitrary code with the called program's privilege. The way it works: you call a privileged service/program/function, and you pass it a (precisely designed) parameter which is bigger than it's expecting. The parameter is put on the stack; then, when returning (because the parameter is bigger than the max size it was expecting) it will use the beginning of your big parameter as its return address. For example: Suppose the parameter has a max size of 512 bytes. You construct a parameter 516 bytes long, the first 4 bytes of which are a branch to the beginning of the other 512 bytes. Those 512 bytes contain the code to execute a shell, for example, (with, of course, root privilege). There's a bit more to it than that, but that's it in (poorly explained) principle. If I didn't get it quite right, no doubt those in here smarter than me will fix it. -- paul I think that gay marriage is something that should be between a man and a woman. -- Arnold Schwarzenegger, Governor of California -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, 03 Dec 2003 at 22:36 GMT, Alex Malinovich penned: --=-0wVW9GplMT9KFGFuBZNx Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2003-12-03 at 11:33, Dr. MacQuigg wrote: After reading the report at=20 http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htm= l and following this newsgroup discussion, I have some very basic questions= : =20 1) What is a sniffed password, and how do they know the attacker used = a=20 password that was sniffed, rather than just stolen out of someone's=20 notebook? (NOTE: I am by no means an expert on any of this, so don't take this as a definitive answer on the subjects.) I'm not sure of the specifics of how the attacker obtained the passwords, but you can sniff a password both over a network connection as well as locally. For example, using a keystroke logger, you could get the password as a user was typing it in. I have been wondering about the password-sniffing thing, too. If you send a password using ssh, isn't it encrypted? I suppose some debian developer's kid sister could have installed a keystroke logger on the dev machine ... um ... The sniffing part of this exploit has been left unexplained thus far. Maybe that's because the mechanism is obvious to the initiated ... but it's not obvious to me. -- monique -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Dec 03, 2003 at 01:58:11PM -0800, Vineet Kumar wrote: Sidestepping lawsuits from a million angry customers isn't really a win. You're right. Which is why I really wish Bugtraq didn't wait around before publishing their findings. Customers have a right to know what they got screwed into buying. If their customers can hear about a problem only when it's been fixed, it makes Microsoft look like the good guys: Hey, by the way, we fixed this problem you didn't even know about. If there's an exploit in the wild before a fix is available, the PHBs hear it on the local news first, which is not good. It's not about lawsuits, it's just simple business sense -- you have to keep your customers happy. Why not get it mostly right the first time? This is the first compromise of debian.org I've heard about, which says something. - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/zpAnUzgNqloQMwcRAuL+AKCmWxBOaXovKd+9waICAPAMUjwMTACgu8cP K3BjyadqsBU8CikJbdu5qIE= =YJWN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
fun - Re: Debian Investigation Report after Server Compromises
On Wed, 3 Dec 2003, Robert L. Harris wrote: Your argument sounds like my 6yr old doing a I want it now, I don't care what your reasons are soon followed by a temper tantrum. thats normal for the grown-ups too .. just a different form of temper tantrum and usually a shorter fuse than the 6yr olds that are very patient ... even if they want it now.. cause you can make a reasonable deal with um ( just keep your promises ?? ) Thus spake Paul Johnson ([EMAIL PROTECTED]): .. Why should we cater to people who can't be bothered to help themselves? Leaving readily compromisable systems out there does the net a disservice. those that don't bother usually get whacked on the side of the head but the script kiddies .. sooner or later .. - nothing we can do to tell them to fix it before its too late and even if you/we do bother, one usually whack oneself on the side of the head too for screwing up things that was working and than fixing it and the original task to getting things tighter than it was - at least one learns better what not to do next time c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
* Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]: I have been wondering about the password-sniffing thing, too. If you send a password using ssh, isn't it encrypted? I suppose some debian developer's kid sister could have installed a keystroke logger on the dev machine ... um ... Almost there -- minus the assumption that one needs physical access to a machine to install a keystroke logger. At the risk of perpetuating the telephone game, I recall reading that the developer's machine had been rooted. I didn't hear how, but I don't really see how it matters. I picture an always-on machine in someone's home on a DSL or cable line. So how did it get rooted? Shit happens. Once you've got root, getting a keystroke logger in place is trivial. Once you've got that, it doesn't matter what encryption is used on the network wire -- it was 0wnz3d when it left the fingers. I'm considering keeping my private keys (ssh, gpg, etc) on removable storage, maybe one of those USB keys (then my keys could actually go on my keyring...). It's certainly not foolproof, but at least a sniffed passphrase could only be used against me when the key is inserted, which at least slightly reduces the possibility of a private key being compromised. BTW, Monique, your UA seems to have really screwed up on the message you replied to. Is it not MIME-aware? The reply had a quoted MIME header in it, along with a lot of non-decoded QP equals signs littered about it. good times, Vineet -- http://www.doorstop.net/ -- #includestdio.h int main() { puts(Reader! Think not that \n technical information \n ought not be called speech;); return 0; } signature.asc Description: Digital signature
buffer-overflow pic - Re: Debian Investigation Report after Server Compromises
On Wed, 3 Dec 2003, John Hasler wrote: good thread john :-) How does an attacker with a user-level password gain root access? In this case by exploiting a bug in sbrk(). The kernel developers knew about the bug but did not believe it to be exploitable. They were wrong. ...how does a buffer overflow allow root access? In some cases, by allowing you to overwrite a return address on the stack of a suid program with the address of your code. This exploit is rather more subtle than that, evidently. nice pretty pic of buffer overflow http://www.Linux-Sec.net/Kernel/ c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, 03 Dec 2003 at 23:05 GMT, Monique Y. Herman penned: I have been wondering about the password-sniffing thing, too. If you send a password using ssh, isn't it encrypted? I suppose some debian developer's kid sister could have installed a keystroke logger on the dev machine ... um ... The sniffing part of this exploit has been left unexplained thus far. Maybe that's because the mechanism is obvious to the initiated ... but it's not obvious to me. After reading a few more responses, I realize that of course a debian developer's machine could get compromised. I guess I just thought they were infallible *grin* Now, the real question is, what exploit was used to get onto that dev's machine in the first place? -- monique -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
kernel config -- Re: Debian Investigation Report after Server Compromises
hi ya benedict On Wed, 3 Dec 2003, Benedict Verheyen wrote: I'm one of those who's got all his systems on safe kernels, even if this means I don't have full use. NICs on one box aren't supported by 2.4.18, and building 2.4.23 is turning into a bitch. Is there a page anywhere (if not, there should be one) or info on what type of patches are added to a debianized kernel and where to find them. i think you can do the following to see what your kernel does uname -a - lets say it says 2.4.22-foo to get a list of modules it supports ls -la /lib/modules/2.4.22-foo to get a list of options built into the kernel cd /usr/local/src wget kernel.org/.2.4.22.tar.gz tar zxvfp 2.4.22.tar.gz cd linux-2.4.22 ( virgin kernel from kernel.org ) make xconfig - save it's default .. do NOT change anything mv .config .config.defaults make oldconfig - should create a .conf of your kernel diff .config .config.defaults - to see the differences - dont know if that still works.. havent tried it in years.. - its 100x easier/faster to make your own kernel than to figure out what they did to it 1. Either this info just isn't there because you don't need cramfs for an initrd initrd is NOT needed .. - not needed if all the options are built intot he kernel - not needed if your / is under the 1024 cyl boundry initrd is used primarily to boot your system, when the kernel you're trying to use doesnt have all the options defined ( you cant read the scsi disk till you have a kernel to read ( the kernel off the scsi disk .. the typical catch-22 problem - build the scsi drivers into your custom kernel and boot it and that problem goes away c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
Vineet Kumar [EMAIL PROTECTED] writes: BTW, Monique, your UA seems to have really screwed up on the message you replied to. Is it not MIME-aware? The reply had a quoted MIME header in it, along with a lot of non-decoded QP equals signs littered about it. I think she posts through the gmane usenet gateway. So her news reader might not be completely MIME-aware or the news-mail transition fudges things up. Bijan -- Bijan Soleymani [EMAIL PROTECTED] http://www.crasseux.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Wed, Dec 03, 2003 at 05:52:30PM -0800, Vineet Kumar wrote: I'm considering keeping my private keys (ssh, gpg, etc) on removable storage, maybe one of those USB keys (then my keys could actually go on my keyring...). It's certainly not foolproof, but at least a sniffed passphrase could only be used against me when the key is inserted, which at least slightly reduces the possibility of a private key being compromised. If the system is rooted, it would be trivial to write a replacement for ssh (GPG, etc.) that copies your private keys onto the hard drive for later retrieval. Definition of trivial is: I, a bad programmer, could do it. -- Carl Fink [EMAIL PROTECTED] Jabootu's Minister of Proofreading http://www.jabootu.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
keys - Re: Debian Investigation Report after Server Compromises
On Wed, 3 Dec 2003, Carl Fink wrote: If the system is rooted, it would be trivial to write a replacement for ssh (GPG, etc.) that copies your private keys onto the hard drive for later retrieval. Definition of trivial is: I, a bad programmer, could do it. why copy and get it later ?? why not have the rootkit you modified do the equivalent of: for each file... mail -s hacked box [EMAIL PROTECTED] /etc/ssh/* - my understanding ... donno if it's right or not .. if i copy /etc/ssh/host_keys to my laptop, when i log into debin host box ( example ) that host will think my latop is the debian dev box since i could be on my laptop with the same host keys - in which case, dont lose control of your host files or you're s.o.l. - i find it hard to believe its that simple .. ( i havent tried it though .. to spoof another machine ) - i never did undestand why, people wanna run rootkits once they got in ... ( all it does is trip the various network/host ids ) - leaving the fs intact, as it was, before you got in will go un-noticed ... but than again, you can't do much either .. but than gain, there are plenty of fun things one can do secretly.. w/o tripping the ids - and the problem is if they are sniffing keystrokes... oh well.. all bets are off for security .. there is none .. - even mouse clicks wont help - best place to start.. - assume they have root passwd ... now figure out how to cover yourself ( ie.. protect your data ) c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Thu, 04 Dec 2003 at 01:52 GMT, Vineet Kumar penned: BTW, Monique, your UA seems to have really screwed up on the message you replied to. Is it not MIME-aware? The reply had a quoted MIME header in it, along with a lot of non-decoded QP equals signs littered about it. http://sourceforge.net/mailarchive/forum.php?thread_id=3341646forum_id=4003 I read debian-user through the gmane mirror, and slrn doesn't support multi-part mime, at least not yet. I'm not really sure what multi-part mime is, so I haven't made much progress in dealing with it. -- monique -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Fwd: Debian Investigation Report after Server Compromises
Hola gent Penso que us interessa el tema i aquí us reenvio el text del missatge fent-ne un resum en la llengua mare de les qüestions que com a simple usuari m'han cridat l'antenció. - Diuen que l'equip d'administració i el d'experts en seguretat finalment han indicat la detecció i les tasques de seguiment i comprovació derivades del problema de seguretat que varem tenir als servidors de Debian. - En el Timline veiem el procés de seguiment: la detecció de l'atac, procediment seguit. Comentari: És d'esperar que a part de l'actualització del nucli apareguin d'altres canvis -- en especial en l'aplicació de pedaços per a temes tan importants). Crec que també fora important el saber com fer-nos-ho per a saber del cert que els nostres sistemes no han estat atacats amb un mètode més pulit, o amb més èxit, per a que ens entenguem. Si algú de vosaltres pot fer-hi llum us ho agrairé. ,--- Missatge reenviat (principi) Assumpte: Debian Investigation Report after Server Compromises De: Martin Schulze [EMAIL PROTECTED] Data: Tue, 02 Dec 2003 16:30:10 +0100 Grup de notícies: linux.debian.announce The Debian Projecthttp://www.debian.org/ Debian Investigation Report [EMAIL PROTECTED] December 2nd, 2003 Debian Investigation Report after Server Compromises The Debian administration team and security experts are finally able to pinpoint the method used to break-in into four project machines. However, the person who did this has not yet been uncovered. The package archives were not altered by the intruder. The Debian administration and security teams have checked these archives (security, us, non-us) quite early on in the investigation and re-installation process. That's why the project was able to open up the security archive again and confirm that the stable update (3.0r2) wasn't compromised. If the project had anticipated to get compromised at the same time the stable update was implemented, the involved people would have postponed it. However, the updated packages were already installed in the stable archive and mirror servers at the time the break-ins were discovered, so it wasn't possible to hold it back anymore. Several methods based on different control data were used to verify the packages and to ensure that the archives weren't altered by the attacker: . externally stored lists of MD5 sums accumulated over the past weeks on not compromised machines . digitally signed .changes files from external debian-devel-changes archives on not compromised machines . digitally signed .changes files on the respective archive servers . externally stored mirror log files Timeline Below is the timeline of discovery and recovery of the compromised machines. All times are in UTC. Some times are only estimates since our conversation did not contain exact timestamps. Sep 28 01:33 Linus Torvalds releases 2.6.0-test6 with do_brk() fix Oct 02 05:18 Marcello Tosatti applies do_brk() boundary check Nov 19 17:00 Attacker logs into klecker with sniffed password Nov 19 17:08 Root-kit installed on klecker Nov 19 17:20 Attacker logs into master with same sniffed password Nov 19 17:47 Root-kit installed on master Nov 19 18:30 Attacker logs into murphy with service account from master Nov 19 18:35 Root-kit installed on murphy Nov 19 19:25 Oopses on murphy start Nov 20 05:38 Oopses on master start Nov 20 20:00 Discovery of Oopses on master and murphy Nov 20 20:54 Root-kit installed on gluck Nov 20 22:00 Confirmation that debian.org was compromised Nov 21 00:00 Deactivation of all accounts Nov 21 00:34 Shut down security.debian.org Nov 21 04:00 Shut down gluck (www, cvs, people, ddtp) Nov 21 08:30 Point www.debian.org to www.de.debian.org Nov 21 10:45 Public announcement Nov 21 16:47 Developer information updated Nov 21 17:10 Shut down murphy (lists) Nov 22 02:41 security.debian.org is back online Nov 25 07:40 lists.debian.org is back online Nov 28 22:39 Linux 2.4.23 released Discovery On the evening (GMT) of Thursday, November 20th, the admin team noticed several kernel oopses on master. Since that system was running without problems for a long time, the system was about to be taken into maintenance for deeper investigation of potential hardware problems. However, at the same time, a second machine, murphy, was experiencing exactly the same problems, which made the admins suspicious. Also, klecker, murphy and gluck have Advanced Intrusion Detection Environment (package aide) installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had
Debian Investigation Report after Server Compromises
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: Debian Investigation Report after Server Compromises
Shoulda Been: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html What a wanker I am. No, Peter no comment needed. On Tue, 2003-12-02 at 11:08, Greg Folkert wrote: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: Debian Investigation Report after Server Compromises
On Tue, Dec 02, 2003 at 11:08:57AM -0500, Greg Folkert wrote: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian That's a killer incident report. I'm satisfied. Couldn't help thinking about horses and barn doors though. I expect we'll see the what next next :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Tue, 02 Dec 2003 11:08:57 -0500, Greg Folkert [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian ..he meant: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Tue, 2003-12-02 at 11:31, Greg Folkert wrote: Shoulda Been: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html What a wanker I am. No, Peter no comment needed. On Tue, 2003-12-02 at 11:08, Greg Folkert wrote: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian Thanks for the link. It certainly makes for interesting reading. Though I am somewhat concerned about the following bit from the message: Please understand that we cannot give away the used exploit to random people who we don't know. So please don't ask us about it. I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? -- Alex Malinovich Support Free Software, delete your Windows partition TODAY! Encrypted mail preferred. You can get my public key from any of the pgp.net keyservers. Key ID: A6D24837 signature.asc Description: This is a digitally signed message part
Re: Debian Investigation Report after Server Compromises
Greg Folkert wrote: Shoulda Been: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html What a wanker I am. No, Peter no comment needed. On Tue, 2003-12-02 at 11:08, Greg Folkert wrote: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian :-D Who? Me? -- [EMAIL PROTECTED] The IWETHEY project: http://www.iwethey.org Collaborative Media Foundation: http://collaborativemedia.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Debian Investigation Report after Server Compromises
Title: RE: Debian Investigation Report after Server Compromises snipped Though I am somewhat concerned about the following bit from the message: Please understand that we cannot give away the used exploit to random people who we don't know. So please don't ask us about it. I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? I agree. I support and recommend Debian to my peers and clients on the basis that Debian is a stable and secure distribution. Therefore when something (such as this) happens I want to have full disclosure so I can confidently deploy Debian on our network. Preston
Re: Debian Investigation Report after Server Compromises
On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote: On Tue, 2003-12-02 at 11:31, Greg Folkert wrote: Shoulda Been: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html What a wanker I am. No, Peter no comment needed. On Tue, 2003-12-02 at 11:08, Greg Folkert wrote: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian Thanks for the link. It certainly makes for interesting reading. Though I am somewhat concerned about the following bit from the message: Please understand that we cannot give away the used exploit to random people who we don't know. So please don't ask us about it. I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? DMCA. Nuff said. It is not fixed widespread. So there are a TON of exploitable machines out there. So, best keep quite so the script kiddies don't bollocks up the world. As we all know most of these REAL attacks are by the people that never get caught. Script kiddies are me-too cruft. No need to make it easier. But, the prereq is a local account. So it isn't as bad as it could be. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: Debian Investigation Report after Server Compromises
On Tue, 2003-12-02 at 19:12, Alex Malinovich wrote: I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? Because there will be lots of people who haven't yet had the chance to upgrade. They won't thank us for making an exploit available to every would-be cracker. -- Oliver Elphick[EMAIL PROTECTED] Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C For the mountains shall depart, and the hills be removed; but my kindness shall not depart from thee, neither shall the covenant of my peace be removed, saith the LORD that hath mercy on thee. Isaiah 54:10 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Tue, 02 Dec 2003 13:12:40 -0600, Alex Malinovich wrote: On Tue, 2003-12-02 at 11:31, Greg Folkert wrote: Shoulda Been: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html What a wanker I am. No, Peter no comment needed. On Tue, 2003-12-02 at 11:08, Greg Folkert wrote: http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian Thanks for the link. It certainly makes for interesting reading. Though I am somewhat concerned about the following bit from the message: Please understand that we cannot give away the used exploit to random people who we don't know. So please don't ask us about it. I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? Ther is always a conflict between security and openness. MS's approach has always been not to say anything until a fix has been propagated; they are often criticized for that, but I'm sure they'd be deluged in lawsuits from compromised system owners if they advertised the exploit to bad guys before they had a fix. In this case, the exploit is still an issue for those who have not yet applied a fix. So to publish the exploit code itself is to expose many debian systems to needless risk. Well, that's the way I see it, anyway. -- paul Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know. - Donald Rumsfeld, US Secretary of Defense, Winner of British Plain English Campaign's 2003 Foot in Mouth award. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Tue, Dec 02, 2003 at 01:12:40PM -0600, Alex Malinovich wrote: | Thanks for the link. It certainly makes for interesting reading. Though | I am somewhat concerned about the following bit from the message: | | Please understand that we cannot give away the used exploit to random | people who we don't know. So please don't ask us about it. Huh, I missed this when reading the announcements. Anyways, I thought they _did_ announce the exploit. Well, ok, they didn't give out a script-kiddie to automate it, but they told right where the problem is and it doesn't take a genius to figure out the details. (In fact, I read a web page once that explained the details of how buffer overflows on the C stack can be exploited. Very interesting.) | I'm afraid I'm part of the group that just doesn't understand. This | snippet reeks of security through obscurity for me. If the hole has been | identified and, presumably, fixed, why not tell people about it? The only thing I have to add, apart from noting above that the exploit was divulged, is the other respondants have said it isn't fixed and that perspective seems to fit with what you would expect. -D -- Pride goes before destruction, a haughty spirit before a fall. Proverbs 16:18 www: http://dman13.dyndns.org/~dman/jabber: [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
RE: Debian Investigation Report after Server Compromises
On Tue, 02 Dec 2003 15:01:48 -0600, Preston Boyington wrote: I agree. I support and recommend Debian to my peers and clients on the basis that Debian is a stable and secure distribution. Therefore when something (such as this) happens I want to have full disclosure so I can confidently deploy Debian on our network. Preston It would be a lot less stable and secure if debian started publishing exploits. The announcement explains quite clearly what happened and how to protect your system. How would debian publishing the exploit code to the world make your system more secure? What specifically would you do with it which you can't do with the information you already have? Please don't post HTML. -- paul Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know. - Donald Rumsfeld, US Secretary of Defense, Winner of British Plain English Campaign's 2003 Foot in Mouth award. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
dman writes: The only thing I have to add, apart from noting above that the exploit was divulged... The _bug_ was divulged. The exploit is so difficult that the kernel hackers didn't think the bug was exploitable. -- John Hasler [EMAIL PROTECTED] (John Hasler) Dancing Horse Hill Elmwood, WI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
John Hasler wrote: dman writes: The only thing I have to add, apart from noting above that the exploit was divulged... The _bug_ was divulged. The exploit is so difficult that the kernel hackers didn't think the bug was exploitable. There would seem to be a misnomer, script-kiddies can come up with an exploit like this and still be kiddies? Hugo. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
Hugo writes: There would seem to be a misnomer, script-kiddies can come up with an exploit like this and still be kiddies? Script-kiddies don't come up with anything. Crackers come up with exploits and give to the kiddies to play with. -- John Hasler [EMAIL PROTECTED] (John Hasler) Dancing Horse Hill Elmwood, WI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Investigation Report after Server Compromises
On Tue, Dec 02, 2003, at 15:01 -0600, Preston Boyington wrote: Though I am somewhat concerned about the following bit from the message: Please understand that we cannot give away the used exploit to random people who we don't know. So please don't ask us about it. I'm afraid I'm part of the group that just doesn't understand. This snippet reeks of security through obscurity for me. If the hole has been identified and, presumably, fixed, why not tell people about it? I agree. I support and recommend Debian to my peers and clients on the basis that Debian is a stable and secure distribution. Therefore when something (such as this) happens I want to have full disclosure so I can confidently deploy Debian on our network. Why would your clients be interested in step-by-step details on how to accomplish this? You know it was done by a C integer overflow in the brk() call. And you now know that it was fixed, what Debian has done, a timeline of events and details on the forensics analysis. What else do you want? And why? It's not in anyone's interest, for the sake of security and time, to document a step-by-step set of instructions. If you *really* wanted to know, read the kernel-hackers mailing list. -- scott c. linnenbringer| [EMAIL PROTECTED] http://www.panix.com/~sl | [EMAIL PROTECTED] pgp0.pgp Description: PGP signature