I''ve since discovered

Story: Interview with the Vista Pwn2Own contest winnersTotal Replies: 24
Author Content
tracyanne

Apr 03, 2008
11:17 PM EDT
that they didn't gain root access.
tuxchick

Apr 04, 2008
10:26 AM EDT
Not sure if this contest proves anything, but if it means that all three operating systems are getting more secure, that is a good thing.
dinotrac

Apr 04, 2008
11:46 AM EDT
Amen to that.
hkwint

Apr 06, 2008
8:29 AM EDT
So those hackers would hack Linux via a closed-software binary blob... Please anyone, don't tell RMS!
techiem2

Apr 06, 2008
9:35 AM EDT
Quoting:So those hackers would hack Linux via a closed-software binary blob
That seems to be the most likely place. At least that seems to be how the contest turned out. Mac through a 0day in Safari, Vista through a 0day in Flash. Sensing a pattern here? hehe.
Sander_Marechal

Apr 06, 2008
10:22 AM EDT
Flash on Linux probably was vulnerable. But I wonder, could they have gained root? Exploiting flash only gives you local user rights.
tracyanne

Apr 06, 2008
12:37 PM EDT
Sander, they only gained current user access on the Mac and on the Vista machines, and according to the rules that's all they had to do.
Sander_Marechal

Apr 06, 2008
1:11 PM EDT
True, but gain user privileges on a Windows box and you own the box. Gain user privileges on a *nix box and you own a bunch of mp3 files and a couple of spreadsheets :-)
tracyanne

Apr 06, 2008
1:29 PM EDT
That would be at the core of my confusion when I was discussing this on the ZDNet site where those blokes were interviewed. I couldn't see how gaining user access on the Linux box (or indeed the Windows box) gained them anything, but of course, gaining user access gained them a lot on the Windows box, I was using Linux thinking, and in response they were using windows thinking.
tuxchick

Apr 06, 2008
2:40 PM EDT
Think about it- cracking any user account on a Linux box opens the door to all kinds of mischief. A successful intruder can do everything that user can do. If it's a human user then their data are at risk, and the cracker can use them for spamming, filesharing, and whatever else their nasty little minds come up with. If it's a user attached to a service, then whatever that user has access to, such as database or webserver files, are open to the intruder. Modern sploitz don't need root to do a lot of damage.
Sander_Marechal

Apr 06, 2008
4:24 PM EDT
Quoting:Modern sploitz don't need root to do a lot of damage.


No, but they need root access to hide. If they're not hidden then they're caught pretty quickly by any half-decent admin.
tracyanne

Apr 06, 2008
4:44 PM EDT
or half decently prepared user, and on a nix system they are so easy to stop and remove.
azerthoth

Apr 06, 2008
6:33 PM EDT
And using ubuntu is particularly weak in the security department, no set root password and all access done via sudo in a default installation.
tuxchick

Apr 06, 2008
6:57 PM EDT
Half decently prepared users and admins? Easy? Your faith is touching, young grasshoppers. Seriously, how would you know if you've been successfully cracked? Modern exploits rely on stealth- they don't want to call attention to themselves. Are you running intrusion detection systems? Memorizing file hashes? How would you even know?
tracyanne

Apr 06, 2008
7:41 PM EDT
Well TC there are no executables in my home directory, So unless they have root access, which patently they didn't get on either the Mac or the Windows machine, and which would be more difficult on a Linux (or at least has in practice been shown to be), there is actually no means by which they can stealth anything. Now there is one means, on my system, by which they can auto execute a script on startup, but I check that regularly, and it is pretty easy remove.

If they have root, then everything above goes out the window.
Sander_Marechal

Apr 06, 2008
8:59 PM EDT
Quoting:Seriously, how would you know if you've been successfully cracked? Modern exploits rely on stealth- they don't want to call attention to themselves. Are you running intrusion detection systems?


Of course I run an intrusion detection system. Plus, like tracyanne there are no executabes in my home directories and without root access it's impossible to hide something on my systems. It's simply a matter of knowing what's going on in your system.

With *nix it's entirely possible to know exactly what's going on inside your system and that makes it easy to catch malware running at user level privileges. This is a lot harder on Windows.
tuxchick

Apr 06, 2008
9:05 PM EDT
Well sander and tracyanne, it's not quite that simple. Maybe your setup is different, but human users have all kinds of executables at their service- email, ftp, all kinds of client software, and other stuff I'm too lazy to think of now, and as azerthoth pointed out, the all-powerful sudo hole on Ubuntu. Which is a biggie. Plus most user accounts have read access to all kinds of configuration and other files. In addition, any service running under its own user (apache usually has the apache user, php and databases and other bits of LAMP stacks each have their own users, and so forth) has its own vulnerabilities. Crack any user, and you have all the powers that user has. (AppArmor and SELinux try to close those holes by strictly limiting services to just the minimum they need to do their jobs, and no more. Which defangs the power of root exploits, because then root is no long all-powerful.)

In addition, what's the point of using a PC? One word: data. So when a human user account is compromised and their data stolen, or a database user that controls all kinds of data, that's a serious loss. More serious than compromising system files, which can easily be replaced.

The article is kind of dim, IMO, since the guys being interviewed were more smart-alecky than informative. Other articles on the contest said that most contestants did a lot of advance homework, and chose to attack the systems they felt they had the best chance of cracking. It's just one contest, but I think it's fairly representative- the winners went with the weakest systems. The ones with the closed code, teehee.

Anyway if there's one point that's really important, it's that root access isn't essential for a successful crack, and plenty of damage occurs by compromising non-root accounts.
Sander_Marechal

Apr 06, 2008
10:25 PM EDT
@TC: I'm not saying that a compromised user account on a *nix machine can't do any damage. I'm just saying that the damage will be much shorter lived because the malware can't hide. Of course a user has all kinds of executables to their disposal. It just can't add any new ones outside his home directory where it's easily locatable. And if you are a tad paranoid and mount /home with a noexec flag then it becomes even harder (you could still put a PHP or Python file in the user's home dir and execute that).

The problem with Windows malware its that it takes a long time for someone to find out they've been compromised. Early detection and removal of malware keeps it from spreading too far. It's not about the amount of damage to a single user. It's about the amount of damage to the people that single user comes in contact with.
herzeleid

Apr 06, 2008
10:35 PM EDT
> the all-powerful sudo hole on Ubuntu.

OK, I'll bite - what is this "all powerful sudo hole on ubuntu", and how is that different from the sudo that ships with every linux distro? Or the all powerful root account that the non-ubuntu distros ship with?

Inquiring minds want to know!
gus3

Apr 06, 2008
10:44 PM EDT
@herzeleid:

"sudo" on Ubuntu is configured to accomplish admin tasks with minimal hassle. If you can't do it as your unprivileged self, just prefix it with "sudo" and it'll happen.

On most other distributions, "sudo" is configured by default to do few things, if any. On my Slackware and Slamd64 systems, /etc/sudoers contains nothing but comments, meaning "sudo" has precisely zero damage capacity (and I'll get an email if anyone tries anything funny).
Sander_Marechal

Apr 06, 2008
10:46 PM EDT
On Ubuntu, sudo requires you to give the password for the user account. On most other systems, sudo asks for the root password,

If a user account is compromised then you can execute `passwd` and set the user account password to something you know. On Ubuntu you can then use it to execute things with root privileges. That's not possible on most other systems.
gus3

Apr 06, 2008
11:34 PM EDT
@Sander:

No, the whole point of "sudo" is so that users don't need to know the root password. They provide their own password (to authenticate themselves as themselves) to do things with elevated privileges. It is very fine-grained control of root permissions, even to the point of allowing commands only with certain parameters to certain users. E.g. allowing the night-shift operator to run "e2fsck -n" but not "e2fsck -y" while the sysadmin drives to the office, so at least some diagnostic can be ready when he/she arrives.

The problem with Ubuntu is that it takes only slightly more work than Vista to get elevated privs:

Vista: "Are you sure about that? Click Yes or No."

Ubuntu: "Your password will let you do that. Please type it in."

OTOH, try that on any of my computers and I'll be calling your ISP soon.
Sander_Marechal

Apr 07, 2008
12:11 AM EDT
@gus: Point taken, but my main concern is that a user password isn't safe. If you find an exploit to run code under local user privileges then you can get a working password. Executing system administration tasks with a user account password is a big no-no on all my systems.

Is it possible to set a separate sudo password? That would alleviate the problem that running `passwd` gives you a password that can execute system administration tasks and still not disclose the root password to users.
gus3

Apr 07, 2008
12:35 AM EDT
Not sure about a separate "sudo" password, but generally "sudo" is configured to run only those things that are explicitly permitted (whitelist policy). It is also possible to deny "passwd" to all "sudo" users.

"man sudoers" for more info.
krisum

Apr 07, 2008
6:42 AM EDT
@sander Changing own password with 'passwd' requires knowledge of the current password. So this will require that password of one of the "admin" users be known to work (in default Ubuntu configuration).

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!