Mailing List Archive

On 11:11 Mon 21 Mar , Lindsay Haisley wrote:
> I'm putting this in a separate thread because IMHO it has nothing to do
> with any problems I'm having, but with desktop security in general.
>
> On Mon, 2011-03-21 at 09:57 +0100, Roman Zilka wrote:
> > The third suggestion is probably the most important one: being NAT'd
> > and being behind any iptables configuration (that allows for operations
> > such as sending mail and browsing the web) doesn't make your PC
> > invulnerable or anything near that. In other words, active break-in
> > attempts via open ports is by far not the only option hackers have.
>
> So give me an example, Roman, assuming one's firewall is intact and
> functioning as designed. The only such class of possible exploits I can
> think of is the possibility of importing a virus, trojan, worm, etc. via
> email, or possibly via a web script. Linux viruses propagated via email
> are scarcer than hen's teeth, and an exploit imported thusly which would
> leverage a vulnerability in a specific problem kernel is almost
> certainly rare enough to be considered nonexistent in the wild as a
> practical matter. Please cite specific viruses/trojans, and if you can,
> reported cases of such exploits. In other words, don't blow smoke at me
> or throw out generalized assertions without citing evidence to support
> them.

Web-based vulnerabilities in Firefox or apps it uses for filetype
support (e.g. Evince for PDF has had vulnerabilities lately) would be
the most common, assuming you can convince people to visit a web server
that's rooted or compromised by XSRF/XSS.

--
Thanks,
Donnie

Donnie Berkholz
Desktop project lead
Gentoo Linux
Blog: http://dberkholz.com

Lindsay Haisley (Mon, 21 Mar 2011 11:11:52 -0500):
> I'm putting this in a separate thread because IMHO it has nothing to do
> with any problems I'm having, but with desktop security in general.
>
> On Mon, 2011-03-21 at 09:57 +0100, Roman Zilka wrote:
> > The third suggestion is probably the most important one: being NAT'd
> > and being behind any iptables configuration (that allows for operations
> > such as sending mail and browsing the web) doesn't make your PC
> > invulnerable or anything near that. In other words, active break-in
> > attempts via open ports is by far not the only option hackers have.
>
> So give me an example, Roman, assuming one's firewall is intact and
> functioning as designed. The only such class of possible exploits I can
> think of is the possibility of importing a virus, trojan, worm, etc. via
> email, or possibly via a web script. Linux viruses propagated via email
> are scarcer than hen's teeth, and an exploit imported thusly which would
> leverage a vulnerability in a specific problem kernel is almost
> certainly rare enough to be considered nonexistent in the wild as a
> practical matter. Please cite specific viruses/trojans, and if you can,
> reported cases of such exploits. In other words, don't blow smoke at me
> or throw out generalized assertions without citing evidence to support
> them.

Yes, the firewall being 95% of all the defense necessary is an outdated
story (ignoring social engineering now). Take a web browser: it's so
complex with so many things in it that could be abused by a malicious
website (that perhaps didn't even want to do bad stuff, but got hacked
yesterday)... Donnie Berkholz mentioned a few. The most common browser
plugins - Flash and Acrobat - and their security holes are considered
one of the greatest threats to a desktop user. As long as you browse
the web, you're exposed and the firewall will let it all through, of
course, because you do want to browse the web. As a result of a
security hole abuse, your PC may get infected with a well-hidden
keylogger and/or backdoor which doesn't have to wait for a connection
from the outside (because the firewall would prevent that).

Apart from that, you may once in a while get tempted to open a piece of
spam which just happens to look so legitimate. And this item happened
to contain a 1x1 pixel white image which abused a hole in libmng which
you'd always ignored, because you just never view mng files.

Of course, it's not just the browser and mail client that deals with
something coming from the Internet.

DNSSEC is also on the table nowadays. No firewall will protect you from
spoofed DNS replies that will lead your browser to a malicious site.

Also, you mentioned earlier that you access various VPNs. I don't know
much about VPNs, and topologies and configurations may clearly vary
broadly, but I suppose there can be a setting such that your PC will
get exposed to direct traffic from the VPN peers. NAT or not NAT.

There's a gargantuan mass of data on these and more issues lying around
the web. Google will give you more reading on the topic.

-rz

On Wed, 2011-03-23 at 10:44 +0100, Roman Zilka wrote:
> Apart from that, you may once in a while get tempted to open a piece of
> spam which just happens to look so legitimate. And this item happened
> to contain a 1x1 pixel white image which abused a hole in libmng which
> you'd always ignored, because you just never view mng files.

I think you mean "libpng", not "libmng". I can't find any references to
the latter. This exploit is apparently a design error in the library
and is rated as being of low risk for Linux. You can get your Linux
desktop DoS'd, apparently, but I find no reference to a viral infection
or a wider system compromise. Reboot and carry on :-)

My hypothetical question said "Please cite specific viruses/trojans"
which can affect a Linux desktop box. There's a difference between an
exploit vulnerability which can open up a box from the inside to
intrusion, and persists across reboots, and a vulnerability via an open
port or exposed service which requires that the services be accessible
from the Internet cloud. A javascript which can lock a box into an
infinite loop, or a libpng vulnerability which can effectively DoS a box
doesn't rise to this level. Can we assume that there's no port exposure
in a box masqueraded on a RFC1918 network? I'm not sure, which is why I
posed the question.

With perhaps a very few exception these exploits are aimed at MS Windows
boxes. Recent Flash vulnerabilities, for instance, are listed as
affecting "Adobe Flash Player 10.1.82.76 and earlier versions for
Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player
10.1.92.10 for Android" but the report goes on to say that "There are
reports that this vulnerability is being actively exploited in the wild
against Adobe Flash Player on Windows." No mention of Linux, and I can
find no references to a web or email borne exploit found in the wild
that actually generates an *infection* on a Linux box. Consider this a
challenge, if you will, since I'd love to be proved wrong on this last
point and learn something.

One of the reasons I use Linux is because real infections of any sort
via email or web are extremely rare. This isn't to say that they're
non-existent, and there's no such thing as absolute security, but
prevention of such problems is a matter of keeping up with CERT
bulletins. A quick search on US-CERT's website is pretty reassuring.
Searching for Linux turns up virtually nothing from the past several
years, although I do know that there was a nasty glibc vulnerability not
too long ago. There's a difference, however, (subtle as it may be)
between getting infected by a virus and getting cracked by an intruder.

> DNSSEC is also on the table nowadays. No firewall will protect you from
> spoofed DNS replies that will lead your browser to a malicious site.

We've seen this. I'm not running DNSSEC on my DNS servers but I've
taken other measures to avoid cache poisoning on them. One of my
clients, using one of RoadRunner's DNS servers, did have this problem,
from a Windows box, and got a very fake Google front page!

> Also, you mentioned earlier that you access various VPNs. I don't know
> much about VPNs, and topologies and configurations may clearly vary
> broadly, but I suppose there can be a setting such that your PC will
> get exposed to direct traffic from the VPN peers. NAT or not NAT.

Absolutely! If a skilled cracker were to compromise one of my servers,
or one of my clients' servers to which I'm connected via VPN, then I'm a
sitting duck, assuming said cracker has the skill to figure out how to
traverse the VPN and compromise _my_ Linux security. My VPN's are wide
open, for a reason. My question is a hypothetical one, however,
regarding general security, and the issue of VPNs relates only to my
particular setup. And this involves an "exploit" of a connected box,
not a virus/trojan infection, as per my question.

One always learns far more from one's failures than from one's
successes. My Linux servers _have_ been hacked. The biggest hole on my
servers is PHP, and all the break-ins on them have been via large PHP
mega-apps (e.g. WordPress). Most recently we had a customer's WordPress
installation compromised and the attacker was trying exploit a known
vulnerability in the local glibc. He managed only to totally DoS the
box and I had to get an on-site admin to re-boot it. I've locked down
execute perms on wget, which is what most of these black-hats use to
load in their cracking tools, and we've had zero problems since. But
this is server stuff, and OT for this forum.

--
Lindsay Haisley | "Fighting against human creativity is like
FMP Computer Services | trying to eradicate dandelions"
512-259-1190 | (Pamela Jones)
http://www.fmp.com |

On 13:46 Wed 23 Mar , Lindsay Haisley wrote:
> With perhaps a very few exception these exploits are aimed at MS
> Windows boxes. Recent Flash vulnerabilities, for instance, are listed
> as affecting "Adobe Flash Player 10.1.82.76 and earlier versions for
> Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player
> 10.1.92.10 for Android" but the report goes on to say that "There are
> reports that this vulnerability is being actively exploited in the
> wild against Adobe Flash Player on Windows." No mention of Linux, and
> I can find no references to a web or email borne exploit found in the
> wild that actually generates an *infection* on a Linux box. Consider
> this a challenge, if you will, since I'd love to be proved wrong on
> this last point and learn something.

It's called reverse shellcode. One would exploit a vulnerability in your
web browser, email reader, or integrated apps/libraries (primarily
Flash, Evince/libpoppler, or Java) that provides the ability to run
arbitrary code as the local user to get the shellcode onto your system
and run it. Reverse shellcode then connects from your computer to a
remote server and provides them with a login shell. At that point, they
still need to come up with a local root vulnerability or use a keylogger
till they get you becoming root.

I'm not going to go into any more detail on it, but you can find it if
you do some searching.

--
Thanks,
Donnie

Donnie Berkholz
Desktop project lead
Gentoo Linux
Blog: http://dberkholz.com

On Wed, 2011-03-23 at 16:56 -0500, Donnie Berkholz wrote:
> It's called reverse shellcode. One would exploit a vulnerability in your
> web browser, email reader, or integrated apps/libraries (primarily
> Flash, Evince/libpoppler, or Java) that provides the ability to run
> arbitrary code as the local user to get the shellcode onto your system
> and run it. Reverse shellcode then connects from your computer to a
> remote server and provides them with a login shell.

Very interesting!

I did a bit of looking. This appears to be far into the realm of
grey-hat hacking. I found
<http://linux.softpedia.com/get/System/Shells/Sishell-25119.shtml> and
<http://projectshellcode.com/node/2>.

This looks mostly like it's theoretical, proof of concept stuff, and
some of it uses DNS as an intermediary agent. Do exploits based on on
these techniques actually exist in the wild that you know of?

Linux is unsinkable, just like the Titanic.

--
Lindsay Haisley | "Never expect the people who caused a problem
FMP Computer Services | to solve it." - Albert Einstein
512-259-1190 |
http://www.fmp.com |

Lindsay Haisley (Wed, 23 Mar 2011 13:46:37 -0500):
> On Wed, 2011-03-23 at 10:44 +0100, Roman Zilka wrote:
> > Apart from that, you may once in a while get tempted to open a piece of
> > spam which just happens to look so legitimate. And this item happened
> > to contain a 1x1 pixel white image which abused a hole in libmng which
> > you'd always ignored, because you just never view mng files.
>
> I think you mean "libpng", not "libmng". I can't find any references to
> the latter.

I actually did mean libmng - it's a good example exactly because it's
so unpopular, yet exists on real systems. As for the reference, see
`emerge -pv libmng`. Also possibly interesting: `equery d libmng`,
although it only shows 1st level deps. Recursive traversal suggested
for more insteresting info on what can be potentially broken into when
a bug exists in libmng. On my system, for instance, qt-gui depends on
libmng and quite a number of everyday desktop apps depend on qt-gui. I
use the most common desktop Gentoo profile and have no mng-related USE
flags explicitly on/off.

> This exploit is apparently a design error in the library
> and is rated as being of low risk for Linux. You can get your Linux
> desktop DoS'd, apparently, but I find no reference to a viral infection
> or a wider system compromise. Reboot and carry on :-)

This looks like you're thinking about the library as having
_a_ security hole. Of course, nobody knows how many holes it has in
reality, but even those that have been discovered so far are multiple.

Also note that libmng was just an example. Everything has bugs.

> My hypothetical question said "Please cite specific viruses/trojans"
> which can affect a Linux desktop box.

I wrote a thesis on these and I can tell you there are plenty. I'll
ask you to ref. to Google or a nearby bookstore, as I don't want this
to turn into a chat / lecture on a general topic, or into an academic
paper with proofs of every other claim. Neither is the format of this
mailinglist.

> There's a difference between an
> exploit vulnerability which can open up a box from the inside to
> intrusion, and persists across reboots, and a vulnerability via an open
> port or exposed service which requires that the services be accessible
> from the Internet cloud. A javascript which can lock a box into an
> infinite loop, or a libpng vulnerability which can effectively DoS a box
> doesn't rise to this level.

DoS vulns are a subset. Arbitrary (malicious) code execution vulns are
another, and a much scarier one.

> Can we assume that there's no port exposure
> in a box masqueraded on a RFC1918 network? I'm not sure, which is why I
> posed the question.

There may be no port exposure from the outside indeed. But I gave
examples of situations when that doesn't matter.

> With perhaps a very few exception these exploits are aimed at MS Windows
> boxes. Recent Flash vulnerabilities, for instance, are listed as
> affecting "Adobe Flash Player 10.1.82.76 and earlier versions for
> Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player
> 10.1.92.10 for Android" but the report goes on to say that "There are
> reports that this vulnerability is being actively exploited in the wild
> against Adobe Flash Player on Windows." No mention of Linux, and I can
> find no references to a web or email borne exploit found in the wild
> that actually generates an *infection* on a Linux box. Consider this a
> challenge, if you will, since I'd love to be proved wrong on this last
> point and learn something.

Again, countless lines of tutorials, books, theses, papers and reports
of all sorts have been written on exploiting arbitrary code execution
vulns on Linux. On this mailinglist there's nothing else for me to do
but to ask you to refer to any suitable external source on Linux
security. In fact, I literally suggest that you do, provided you do
business on your PC.

By the way, you don't even need to see one specific malicious PDF file
that'll abuse something in a buggy Acrobat. All you need to know is
that Acrobat has an arbitrary code execution vuln. It's up to you to
decide what code exactly will be run - a shellcode, a keylogger, a
hello-world, a DoS attack, a spam bot, you name it. Try looking around
the web for those. Make sure that your browser settings, you Google
settings and your current ISP benevolence allow for reaching
underground sites. Your search for info will be even faster that way.

> One of the reasons I use Linux is because real infections of any sort
> via email or web are extremely rare. This isn't to say that they're
> non-existent, and there's no such thing as absolute security, but
> prevention of such problems is a matter of keeping up with CERT
> bulletins. A quick search on US-CERT's website is pretty reassuring.
> Searching for Linux turns up virtually nothing from the past several
> years, although I do know that there was a nasty glibc vulnerability not

I don't know what and how where you looking for, but re-consider this
with a clear mind. It's obviously unrealistic. I hope you don't believe
that.

> > Also, you mentioned earlier that you access various VPNs. I don't know
> > much about VPNs, and topologies and configurations may clearly vary
> > broadly, but I suppose there can be a setting such that your PC will
> > get exposed to direct traffic from the VPN peers. NAT or not NAT.
>
> Absolutely! If a skilled cracker were to compromise one of my servers,
> or one of my clients' servers to which I'm connected via VPN, then I'm a
> sitting duck, assuming said cracker has the skill to figure out how to
> traverse the VPN and compromise _my_ Linux security. My VPN's are wide
> open, for a reason. My question is a hypothetical one, however,
> regarding general security, and the issue of VPNs relates only to my
> particular setup. And this involves an "exploit" of a connected box,
> not a virus/trojan infection, as per my question.

It doesn't have to be a cracker in person.

If you limit your attention to viruses/rootkits only, you're missing
out on the other ways your Linux box can be penetrated.

> One always learns far more from one's failures than from one's
> successes. My Linux servers _have_ been hacked. The biggest hole on my
> servers is PHP, and all the break-ins on them have been via large PHP
> mega-apps (e.g. WordPress). Most recently we had a customer's WordPress
> installation compromised and the attacker was trying exploit a known
> vulnerability in the local glibc. He managed only to totally DoS the
> box and I had to get an on-site admin to re-boot it. I've locked down
> execute perms on wget, which is what most of these black-hats use to
> load in their cracking tools, and we've had zero problems since. But
> this is server stuff, and OT for this forum.

For the sake of security of that server, I hope you skipped a number of
other steps you took.

But once again - I suggest quitting this discussion. It's getting way
off-topic, too general and unfit for this mailinglist, as all these
questions can be answered by checking sources someone else has
previously spent their time on writing. That being said, I myself will
stick to the boot-up issue stuff only.

-rz

On Thu, 2011-03-24 at 10:29 +0100, Roman Zilka wrote:
>
> I actually did mean libmng - it's a good example exactly because it's
> so unpopular, yet exists on real systems. As for the reference, see
> `emerge -pv libmng`.

Sorry! I did a google search for "libmng" yesterday and turned up
nothing. I must have misspelled it since I tried it today and came up
with all kinds of references. My apologies to all.

> For the sake of security of that server, I hope you skipped a number
> of other steps you took.

I had one of my colleagues, who runs one of Austin's top computer
security firms take a look at the situation. He concurred with me on
the diagnosis, and there were a limited number of things that could be
done, including updating glibc. Customers are free to put whatever they
want on their websites, and those who run WordPress are warned that
they're liable for damages if their apps get hacked and the system
compromised.

> I suggest quitting this discussion. It's getting way
> off-topic, too general and unfit for this mailinglist, as all these
> questions can be answered by checking sources someone else has
> previously spent their time on writing.

Roman, are you a moderator on this list? The Gentoo website describes
it as a "Mailing list devoted to Gentoo on the desktop" so I assumed
that Gentoo desktop security was an appropriate topic.

That having been said, perhaps you might recommend a few of the best
"sources someone else has previously spent their time on writing" since
you seem to have knowledge of these, and I'll be happy to let the thread
drop.

--
Lindsay Haisley | "The difference between a duck is because
FMP Computer Services | one leg is both the same"
512-259-1190 | - Anonymous
http://www.fmp.com |

> > I suggest quitting this discussion. It's getting way
> > off-topic, too general and unfit for this mailinglist, as all these
> > questions can be answered by checking sources someone else has
> > previously spent their time on writing.
>
> Roman, are you a moderator on this list? The Gentoo website describes
> it as a "Mailing list devoted to Gentoo on the desktop" so I assumed
> that Gentoo desktop security was an appropriate topic.
>
> That having been said, perhaps you might recommend a few of the best
> "sources someone else has previously spent their time on writing" since
> you seem to have knowledge of these, and I'll be happy to let the thread
> drop.

This is exactly what this mailinglist primarily isn't for: re-relling
stories Google can tell better, answering questions Google can answer. I
say "primarily" - an off-topic off-shot here and there can't harm
anyone, but we've had some already. If the list didn't have this policy
and if it didn't more or less stick to it, it would have become a chat
room for anyone who just doesn't want to take the time to search for
themselves and instead opts for the lazier choice: just ask others,
it's easier. I know it because I've been monitoring this list for years
(read-only, for the most part). As you say: the list is for Gentoo on
desktops. Not for general Linux security discussion. True, Gentoo is
Linux, but we're here for Gentoo specifically. Otherwise we could just
call the list "the list on everything" because, for example, Gentoo
runs on CPUs and CPUs are in desktops, so random chat about CPU-related
stuff is related to Gentoo on desktops. The same for any piece of
hardware, and more than that. You get the idea.

You boldly state that you'll be happy to drop this thread if certain
conditions of yours are met. It sounds like you believe only you decide
whether the thread is dropped or not and when. Well, it's not true. To
my eyes this thread has become teaching certain basics in electronic
communication and using the Internet. Everyone has the right to not
know them, but I just don't feel like this is the right place to
explain them. So I'm ending my participation in this particular thread
and if everyone else does the same, the thread ends here, whether you
decide so or not. Unless you'd go on talking to yourself, in which case
it would probably end a bit later by the power of a moderator.

-rz

On Thu, 2011-03-24 at 19:30 +0100, Roman Zilka wrote:
> > > I suggest quitting this discussion. It's getting way
> > > off-topic, too general and unfit for this mailinglist, as all these
> > > questions can be answered by checking sources someone else has
> > > previously spent their time on writing.
> >
> > Roman, are you a moderator on this list? The Gentoo website describes
> > it as a "Mailing list devoted to Gentoo on the desktop" so I assumed
> > that Gentoo desktop security was an appropriate topic.
> >
> > That having been said, perhaps you might recommend a few of the best
> > "sources someone else has previously spent their time on writing" since
> > you seem to have knowledge of these, and I'll be happy to let the thread
> > drop.
>
> This is exactly what this mailinglist primarily isn't for: re-relling
> stories Google can tell better, answering questions Google can answer. I
> say "primarily" - an off-topic off-shot here and there can't harm
> anyone, but we've had some already. If the list didn't have this policy
> and if it didn't more or less stick to it, it would have become a chat
> room for anyone who just doesn't want to take the time to search for
> themselves and instead opts for the lazier choice: just ask others,
> it's easier.

Well I didn't see anything about this in the list description on the
Gentoo website. I guess there's a list description that you apparently
know about that I missed. On friendly lists, people give useful
references when asked for them and don't suggest that others are "lazy"
when asking for them.

> I know it because I've been monitoring this list for years
> (read-only, for the most part). As you say: the list is for Gentoo on
> desktops. Not for general Linux security discussion. True, Gentoo is
> Linux, but we're here for Gentoo specifically. Otherwise we could just
> call the list "the list on everything" because, for example, Gentoo
> runs on CPUs and CPUs are in desktops, so random chat about CPU-related
> stuff is related to Gentoo on desktops. The same for any piece of
> hardware, and more than that. You get the idea.

Oh! Well that's abundantly clear!

> You boldly state that you'll be happy to drop this thread if certain
> conditions of yours are met. It sounds like you believe only you decide
> whether the thread is dropped or not and when. Well, it's not true.

C'est la vie. I politely asked you for a reference or two on the
subject, which you could have given me off list, if you'd wanted, using
far fewer words than you've used here to berate me. Others on this list
have been more generous, thoughtful and polite.

Perhaps you would also be kind enough to refrain from commenting further
on my Gentoo desktop booting problem, which is obviously a general
_Linux_ problem, and probably not appropriate for this forum either.
I've asked Jorge in private email for suggestions for a more appropriate
forum in which to pursue it. In any event, your participation on _that_
thread, while minimally helpful, has mostly yielded more heat than
light.

And if you're not the moderator on this list, then who is, and would the
moderator please point me, via private email, to a full description of
what's appropriate and not appropriate for discussion on this list? -
something more complete than the simple, rather general description
which I read on <http://www.gentoo.org/main/en/lists.xml>. Roman, since
you seem to know a great deal about it, perhaps _you_ could point me
such a description. I'm really not lazy, I just can't seem to find it.
Please excuse me if I don't just take your word for it, but I don't see
gentoo.org in your email address, and it's not clear to me that you have
any more authority than I do in the matter.

--
Lindsay Haisley | "Real programmers use butterflies"
FMP Computer Services | - xkcd
512-259-1190 |
http://www.fmp.com |

Apropos this discussion, I solicit and would welcome any references to
books or online documents relevant to the subject of Linux desktop
security, and in particular to the subject of reverse shellcode (very
interesting!) or related topics which anyone on this list might choose
to post, or send me in private. Thanks to everyone who contributed
positive input.

--
Lindsay Haisley |"Windows .....
FMP Computer Services | life's too short!"
512-259-1190 |
http://www.fmp.com | - Brad Johnston