Dailydave mailing list archives
Re: Advisory Day!
From: Tiago Assumpção <module () whatever org ar>
Date: Thu, 04 Mar 2004 06:28:35 -0300
Dude, your philosophical question makes me to remember a case...It was an audit over this famous appliance (of which I should not mention the name for ethical reasons) a client was about to pay for. The rules were quite simple:
get into, remotely.I still remember pluging in a vga monitor and watching out the boot process with
anakata.No IP address was given, just one supposed account for having a read-only access
to their system management software running over https. Thanks god it had an IP address assigned, but the account didn't work.The always good by-hand brute-force was quite useful -- admin:netscreen (errrmm). From that time on nahual found out that their CGI programs were actually executing
commands by GET requests. Yes, that's a really gross one.A simple set of those commands allowed us to find out that /bin/shell was there, even
though uploading one wouldn't be hard task.After this, uploading netcat (yes they had lynx) and popping up this shell wasn't
difficult either.So we were in. First look around and we realize that was a simple Linux 2.4.old_release with a, errrm, let's say different, kernel revision tag (maybe their system changes isn't more than manipulating the original source code to make the version strings look fancy). But yes, was the old and good Linux kernel with some good local root
"features".I remember they didn't have GCC, but had the rest of the toolchain kit, including full header collection -- was this an attempt to achieve security? Yet no problem, building up random public exploit and uploading (and loading) the program was simple.
Ok, we've got that holly access. After this, nahual still wanted more and triggered John the Ripper trying to figure out the root password (I think it's always nice to tell the clients their passwords even after full access). After so many (good) surprises a new one
was yet unexpected! root:abc123I don't really know what happened when the client got our response, but no matter what
this was such a classical hack, as fun as it could be! I miss those times :(By the end your philosophy helps people to remind that so many high-cost (someone said this applience had the price ~$20k) cutting edge technologies will always get a trip at the
very axiomatic points. As to remember our weakness: - David Hilbert- Kurt Godel (probably the most valuable accommodate ever been in Hilbert's Hotel) - "Uber formal unentscheidbare Satze der Principia Mathematica und verwandter Systeme" [Godel31]
-- Tiago Assumpcao module () whatever org ar 7D9A A6BA 8275 964E EF47 EE5A 7AFF C759 B578 ACAA http://whatever.org.ar/~module [/myself.asc] At 16:35 3/3/2004, you wrote:
At 02:12 PM 3/3/2004 -0500, Dave Aitel wrote: >Yes, it's time for another "advisory". As I don't believe advisories >really accomplish anything Well, for one thing, if you point out you do in fact know how to issue advisories it might help get companies listen when you file bug reports. Might, of course. > RealSecure, NAI, etc - do bugs in security >software products make everyone else laugh? Well, one certainly wonders what they do with all that bloody scanning kit if they don't run it against their own gear. I assume all of EEye's products are being scanned at the submolecular level by vast teams in suburban Atlanta, as we speak ;-) Philosophical question: suppose a box ships with no shell access by default, but with a linux kernel and a shell installed, and with a mechanism available to get to the shell. Are local shell-based exploits then a realistic attack path? I think that, if the vendor shipped BASH on the box, then someone, someday, is going to run BASH. I think that's the line. If you don't want people running a shell, ever, then don't ship a shell. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Advisory Day! Dave Aitel (Mar 03)
- Re: Advisory Day! Rodney Thayer (Mar 03)
- Re: Advisory Day! Tiago Assumpção (Mar 04)
- Re: Advisory Day! Rodney Thayer (Mar 04)
- Re: Advisory Day! Tiago Assumpção (Mar 04)
- <Possible follow-ups>
- Re: Advisory Day! arlen (Mar 04)
- Re: Advisory Day! Rodney Thayer (Mar 04)
- Re: Advisory Day! Nahual (Mar 04)
- Re: Advisory Day! david maynor (Mar 04)
- Dave Barry on computer security Tri Huynh (Mar 06)
- Re: Advisory Day! Rodney Thayer (Mar 03)