Re: Is there something that can be done against this ???

Re: Is there something that can be done against this ???

[Per Jessen]

On Mon, 13 Aug 2001 22:20:08 +0300, Mircea Ciocan wrote:

>	OK, I realized is a hoax, I should look at the code first then cry the
>wolf is comming :), but anyhow this crap is VERY effective in
>demonstrating to a clueless IT manager that Linux is oh, sooo easy to
>break in.

This is an EXCELLENT comment - we need to be concerned not just about fact, 
but also about perception. For those of you in admin jobs with clueless
IT managers watching over your shoulder, this is a real challenge. Hopefully,
since you have *already* adopted Linux, you'll be able to prove that
this particular script was no threat to Linux.


>	So at least to learn something from this, is there a way to stop
>completly that crap ???
>		My apologies to get you disturbed.

I think you did rightly so. No apologies needed.


regards,
Per Jessen

regards,
Per Jessen, Zurich
http://www.enidan.com - home of the J1 serial console.

Windows 2001: "I'm sorry Dave ...  I'm afraid I can't do that."

Re: Is there something that can be done against this ???

[Helge Hafting]

joseph.bueno@trader.com wrote:
[...]
> How many users are there that use a specific user account to read
> their emails on their Linux workstation ?
> I don't, I use my account to read mails, write documents,
> develop programs,etc. So even if a malicious program does
> not do any arm to the system, it can at least destroy or corrupt my
> own files and I will loose time restoru=ing from last backup and
> rebuilding recently modified files.
> 
So you aren't reading mail as root - which is what any windows
user do.  I believe few people read mail from a "mail-only"
account, but reading the mail is seldom dangerous.  If someone
mails you a unknown program though - definitely run that
from a test account if you tries it at all.

Helge Hafting

Re: Is there something that can be done against this ???

[Scott Wood]

On Tue, Aug 14, 2001 at 03:00:58AM -0700, David Schwartz wrote:
> 	Why? Is it because you don't trust your system security? Your operating
> system shouldn't let the script do anything you don't want it to do.

Anything?  How will it be prevented from being used to attack other machines
(other than attacks that require root on the attacking machine), or to relay
spam, or to act as a warez/mp3/whatever server (sure, quotas could be used,
but are they?  And even if they are, does it have enough space for a few
small titles)?

And if that account is also used for mail reading, it could send your
mailbox to the attacker, delete or alter your mail, etc.  It'd also have
access to a bunch of e-mail addresses that it could forward itself to.

> 	That should do no harm. What you mean to say is "if somebody is dumb enough
> to execute any program recieved by email under a user account that has
> permissions to modify files he cares about, consume too many process slots,
> consume excessive vm, or has other special capabilities".

And by default, even the nobody user can use virtually all the memory or
processes it wants.  Even with only a few process slots, it could steal a
decent amount of CPU cycles (hmm... a distributed.net worm? :-).

> 	If a user can run code that can harm the system, then nobody who isn't
> trusted not to harm the system can be a user. That's not how we want Linux
> to be, is it?

If you define "harm the system" as perform any unauthorized
externally-visible (relative to the sandbox) action, then Linux is a *long*
way from achieving that.

-Scott

RE: Is there something that can be done against this ???

[David Schwartz]

> David Schwartz wrote:

> > > The question is not : "is this script dangerous ?",
> > > but "are you ready to blindly execute a shell script
> > > (or any program) that you receive in your  mail ?".

> >         Sure, as a user created solely for that purpose, it
> > should be entirely
> > safe.

> It definitely ought to be safe.  But don't run any script people mail
> you in a test account - you'll be sorry when they exploit a bug in
> your kernel or perhaps one of your trusted daemons...

	Well that's my point. If you don't feel comfortable doing this, it's
because you suspect that something is wrong with your system's security. Of
course, we don't go testing how scratch-resistant our glasses are by
attempting to scratch them. In principle, however, it should be safe from an
OS standpoint assuming your system has been configured to be secure.

	DS

Re: Is there something that can be done against this ???

[Colonel]

In clouddancer.list.kernel, you wrote:
>
>David Schwartz wrote:
>> 
>> > The question is not : "is this script dangerous ?",
>> > but "are you ready to blindly execute a shell script
>> > (or any program) that you receive in your  mail ?".
>> 
>>         Sure, as a user created solely for that purpose, it should be entirely
>> safe.
>> 
>
>How many users are there that use a specific user account to read
>their emails on their Linux workstation ?
>I don't, I use my account to read mails, write documents,
>develop programs,etc. So even if a malicious program does
>not do any arm to the system, it can at least destroy or corrupt my
>own files and I will loose time restoru=ing from last backup and
>rebuilding recently modified files.


Anybody that can think probably does that.  First they think that
setting up a test user takes a few seconds, then they think that
restoring from backup takes at least 100x longer....


-- 
Windows 2001: "I'm sorry Dave ...  I'm afraid I can't do that."

Re: Is there something that can be done against this ???

[joseph.bueno]

David Schwartz wrote:
> 
> > The question is not : "is this script dangerous ?",
> > but "are you ready to blindly execute a shell script
> > (or any program) that you receive in your  mail ?".
> 
>         Sure, as a user created solely for that purpose, it should be entirely
> safe.
> 

How many users are there that use a specific user account to read
their emails on their Linux workstation ?
I don't, I use my account to read mails, write documents,
develop programs,etc. So even if a malicious program does
not do any arm to the system, it can at least destroy or corrupt my
own files and I will loose time restoru=ing from last backup and
rebuilding recently modified files.

> > I don't care if this script is dangerous or not because I will
> > never execute it,
> > or any program that I receive my email before checking its
> > contents and making sure
> > it is OK.
> > (And my mail reader will not execute anything automatically, not
> > even Javascript).
> 
>         Why? Is it because you don't trust your system security? Your operating
> system shouldn't let the script do anything you don't want it to do.

Yes I trust my system security. But even the system is not affected,
since the script will run with my userid, it will be able to do everything
I am allowed to do.

> 
> > If somebody is dumb enough to execute any  program received by email,
> > don't loose time trying to find some weaknesses in the system; just
> > send him a shell script with "rm -rf /". It will do enough harm !
> 
>         That should do no harm. What you mean to say is "if somebody is dumb enough
> to execute any program recieved by email under a user account that has
> permissions to modify files he cares about, consume too many process slots,
> consume excessive vm, or has other special capabilities".

It was just a one line example. Even if does not do any harm to
system files, it will harm my own files !

BTW, how many people are positively sure that they can
run "su nobody -c rm -rf /" on their system without loosing anything ?

> 
> > Best protection against mail virus is not technical (although it
> > may help),
> > but user education; and this is true regardless of which operating system
> > or mail reader is used !
> 
>         If a user can run code that can harm the system, then nobody who isn't
> trusted not to harm the system can be a user. That's not how we want Linux
> to be, is it?

Well, you are right; but even if a user does not harm the system,
he will harm himself and there is no way the system can protect him
against it. So we are back to my point: user protection comes from
user education.

> 
>         DS
> 
Regards
--
Joseph Bueno
NetClub/Trader.com

Re: Is there something that can be done against this ???

[Helge Hafting]

David Schwartz wrote:
> 
> > The question is not : "is this script dangerous ?",
> > but "are you ready to blindly execute a shell script
> > (or any program) that you receive in your  mail ?".
> 
>         Sure, as a user created solely for that purpose, it should be entirely
> safe.

It definitely ought to be safe.  But don't run any script people mail
you in a test account - you'll be sorry when they exploit a bug in
your kernel or perhaps one of your trusted daemons...

Helge Hafting

RE: Is there something that can be done against this ???

[David Schwartz]

> The question is not : "is this script dangerous ?",
> but "are you ready to blindly execute a shell script
> (or any program) that you receive in your  mail ?".

	Sure, as a user created solely for that purpose, it should be entirely
safe.

> I don't care if this script is dangerous or not because I will
> never execute it,
> or any program that I receive my email before checking its
> contents and making sure
> it is OK.
> (And my mail reader will not execute anything automatically, not
> even Javascript).

	Why? Is it because you don't trust your system security? Your operating
system shouldn't let the script do anything you don't want it to do.

> If somebody is dumb enough to execute any  program received by email,
> don't loose time trying to find some weaknesses in the system; just
> send him a shell script with "rm -rf /". It will do enough harm !

	That should do no harm. What you mean to say is "if somebody is dumb enough
to execute any program recieved by email under a user account that has
permissions to modify files he cares about, consume too many process slots,
consume excessive vm, or has other special capabilities".

> Best protection against mail virus is not technical (although it
> may help),
> but user education; and this is true regardless of which operating system
> or mail reader is used !

	If a user can run code that can harm the system, then nobody who isn't
trusted not to harm the system can be a user. That's not how we want Linux
to be, is it?

	DS

Re: Is there something that can be done against this ???

[joseph.bueno]

Mircea Ciocan wrote:
> 
>         The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.
>         I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
>                 Dead worried,
> 
>                 Mircea C.
> 
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.
> 
>   ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>                Name: smile.sh
>    smile.sh    Type: Bourne Shell Program (application/x-sh)
>            Encoding: quoted-printable

Hi,

The question is not : "is this script dangerous ?",
but "are you ready to blindly execute a shell script
(or any program) that you receive in your  mail ?".

I don't care if this script is dangerous or not because I will never execute it,
or any program that I receive my email before checking its contents and making sure
it is OK.
(And my mail reader will not execute anything automatically, not even Javascript).

If somebody is dumb enough to execute any  program received by email,
don't loose time trying to find some weaknesses in the system; just
send him a shell script with "rm -rf /". It will do enough harm !

Best protection against mail virus is not technical (although it may help),
but user education; and this is true regardless of which operating system
or mail reader is used ! 

Regards
--
Joseph Bueno
NetClub/Trader.com

Re: Is there something that can be done against this ???

[Helge Hafting]

Mircea Ciocan wrote:
> 
>         OK, I realized is a hoax, I should look at the code first then cry the
> wolf is comming :), but anyhow this crap is VERY effective in
> demonstrating to a clueless IT manager that Linux is oh, sooo easy to
> break in.

Good.  I don't want a clueless it manager administrating a linux box
anyway.
Of course the same applies to NT.  Try creating a unprivileged account
named "administrator" with full access to a faked control panel.  Or
for something a little easier - a fake program named "format" 
or "deltree" that writes the same on screen as the real thing.  
And makes the disk click by seeking. :-)

Any os is sooo easy to simulate a break in. 

>         So at least to learn something from this, is there a way to stop
> completly that crap ???

Don't work for a manager that clueless - or tell him it's a hoax.

Helge Hafting

Re: Is there something that can be done against this ???

[Henning P. Schmiedehausen]

Mircea Ciocan <mirceac@interplus.ro> writes:

>	The attached piece of script kiddie shit is the first one that worked

bash-2.04# less /etc/shadow
/etc/shadow: Permission denied

It _is_ shit. Nothing more. "Faked root". Yawn.

	Regards
		Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20   

Re: Is there something that can be done against this ???

[Rik van Riel]

On Mon, 13 Aug 2001, Mircea Ciocan wrote:

> 	So at least to learn something from this, is there a way
> to stop completly that crap ???

Disable printf() ;)

Rik
--
IA64: a worthy successor to the i860.

		http://www.surriel.com/
http://www.conectiva.com/	http://distro.conectiva.com/

Re: Is there something that can be done against this ???

[Admin Mailing Lists]

On Mon, 13 Aug 2001, Mircea Ciocan wrote:

> 	OK, I realized is a hoax, I should look at the code first then cry the
> wolf is comming :), but anyhow this crap is VERY effective in
> demonstrating to a clueless IT manager that Linux is oh, sooo easy to
> break in.
> 	So at least to learn something from this, is there a way to stop
> completly that crap ???

yeah, murder your clueless IT manager..rinse..repeat..until they
hire a non-clueless one.

just a suggestion.

-Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco                       Network Administrator/Engineer
thelittleprince@asteroid-b612.org       Intergrafix Internet Services

    "Dream as if you'll live forever, live as if you'll die today"
http://www.asteroid-b612.org                http://www.intergrafix.net
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.

Re: Is there something that can be done against this ???

[Richard B. Johnson]

On Mon, 13 Aug 2001, Mircea Ciocan wrote:

> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.
> 	I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
> 		Dead worried,
> 
> 		Mircea C.
> 

It's a neat trick. It just replaces some 'C' runtime library functions
with do-nothing functions that return success for the user. It could
even replace file I/O stuff so the user changes directory, but what
`ls` shows, never changes (or is blank). A nice preload object library
could be created that could make a good April-fool joke. You've got
about 1/2 year to work on it! Install it in /lib, and when you want
to cause havoc, modify the target's ~/.bashrc file.

Cheers,
Dick Johnson

Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).

    I was going to compile a list of innovations that could be
    attributed to Microsoft. Once I realized that Ctrl-Alt-Del
    was handled in the BIOS, I found that there aren't any.

Re: Is there something that can be done against this ???

[Chris Meadors]

On Mon, 13 Aug 2001, Mircea Ciocan wrote:

> 	OK, I realized is a hoax, I should look at the code first then cry the
> wolf is comming :), but anyhow this crap is VERY effective in
> demonstrating to a clueless IT manager that Linux is oh, sooo easy to
> break in.

Break in?

> 	So at least to learn something from this, is there a way to stop
> completly that crap ???

What crap?  You mean, saving an attachment you got in an e-mail, stripping
out the ^Ms at the end of lines, so the script can run correctly, and then
chmod +x that script, AND THEN run that script?  Oh, that crap...

> 		My apologies to get you disturbed.

I wasn't.

> 		Mircea "washing the egg on his face" C.

I think you missed some.

-Chris
-- 
Two penguins were walking on an iceberg.  The first penguin said to the
second, "you look like you are wearing a tuxedo."  The second penguin
said, "I might be..."                         --David Lynch, Twin Peaks

Re: Is there something that can be done against this ???

[Ronald Jeninga]

I'll have to dissapoint you, worked perfect over here
(Kernel 2.2.19, ld version 2.9.5 (with BFD 2.9.5.0.24), libc-2.1.3-141).

feeling uncomfortable,

Ronald


Mircea Ciocan wrote:
> 
>         The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.
>         I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
>                 Dead worried,
> 
>                 Mircea C.
> 
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.
> 
>   --------------------------------------------------------------------------------
>                Name: smile.sh
>    smile.sh    Type: Bourne Shell Program (application/x-sh)
>            Encoding: quoted-printable

Re: Is there something that can be done against this ???

[Aaron Lehmann]

On Mon, Aug 13, 2001 at 10:20:08PM +0300, Mircea Ciocan wrote:
> 	So at least to learn something from this, is there a way to stop
> completly that crap ???

No.

Re: Is there something that can be done against this ???

[Eli Carter]

"Peter T. Breuer" wrote:
> 
> "A month of sundays ago Mircea Ciocan wrote:"
> > P.S. Please tell me that I'm just being parnoid and that crap didn't
> > work on your systems with a lookalike configuration.
> 
> It doesn't work. It just looks like it does to the viewer!

The \x.. constructs in the echos require bash 2.

C-ya,

Eli
--------------------.     Real Users find the one combination of bizarre
Eli Carter           \ input values that shuts down the system for days.
eli.carter(a)inet.com `-------------------------------------------------

Re: Is there something that can be done against this ???

[Ben Collins]

On Mon, Aug 13, 2001 at 09:56:37PM +0300, Mircea Ciocan wrote:
> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.
> 	I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.

Wow, someone tried to pass off this as an exploit? Looks very much like
Debian's fakeroot package, used to give a false root lookalike shell
(helps when building things as normal user, when they need to think they
are root).

Nice, but not an exploit. Just a cheap old trick.

-- 
 .----------=======-=-======-=========-----------=====------------=-=-----.
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

Re: Is there something that can be done against this ???

[Peter T. Breuer]

"A month of sundays ago Mircea Ciocan wrote:"
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.

It doesn't work. It just looks like it does to the viewer!

The "exploit" is a loadable shared library that replaces the 
getuid, geteuid, getgid and getegid functions with dummies that
always return 0. So the code in bash that looks up the
prompt and all thatgoes and  looks up roots .profile. The result is
that you get what looks like a root prompt, and your calls to 
id return 0 :-)

But it can't really change uid. Try touching a file in / !

Peter

Re: Is there something that can be done against this ???

[Mircea Ciocan]

	OK, I realized is a hoax, I should look at the code first then cry the
wolf is comming :), but anyhow this crap is VERY effective in
demonstrating to a clueless IT manager that Linux is oh, sooo easy to
break in.
	So at least to learn something from this, is there a way to stop
completly that crap ???
		My apologies to get you disturbed.


		Mircea "washing the egg on his face" C.



			



Ulrich Drepper wrote:
> 
> Mircea Ciocan <mirceac@interplus.ro> writes:
> 
> >       The attached piece of script kiddie shit is the first one that worked
> > flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> > instant root access !!!.
> 
> This is a hoax.  Try doing something with your "exploited" shell.
> 
> --
> ---------------.                          ,-.   1325 Chesapeake Terrace
> Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
> Red Hat          `--' drepper at redhat.com   `------------------------

Re: Is there something that can be done against this ???

[Ulrich Drepper]

Mircea Ciocan <mirceac@interplus.ro> writes:

> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.

This is a hoax.  Try doing something with your "exploited" shell.

-- 
---------------.                          ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
Red Hat          `--' drepper at redhat.com   `------------------------

Re: Is there something that can be done against this ???

[Jakob Østergaard]

On Mon, Aug 13, 2001 at 09:56:37PM +0300, Mircea Ciocan wrote:
> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.

Try echo "gotcha" > /etc/passwd

It will fail.

Because you don't have root - it just *looks* like it.

The "malicious" code is:
#include <stdio.h>
#include <stdlib.h>
int getuid() { return(0); }
int geteuid() { return(0); }
int getgid() { return(0); }
int getegid() { return(0); }
int getgroups(int size, int list[]) { list = (int *)malloc(sizeof(int)); return(1); }

The script spawns a new bash using LD_PRELOAD to override the glibc functions
with the above ones.

This does not compromise kernel security in any way what so ever.  Not even
close.  You *may* be able to trick a naive user, but he won't be able to do
anything bad, because he is not root.  Even though he may think he is.  And
even though bash may think it is.

> 	I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
> 		Dead worried,

Don't worry.

> 
> 		Mircea C.
> 
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.

You're just being paranoid and that crap didn't work on your system either  :)

-- 
................................................................
:   jakob@unthought.net   : And I see the elder races,         :
:.........................: putrid forms of man                :
:   Jakob Østergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:

Is there something that can be done against this ???

[Mircea Ciocan]

[-- Attachment #1: Type: text/plain, Size: 675 bytes --]

	The attached piece of script kiddie shit is the first one that worked
flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
instant root access !!!.
	I was stunned, and it seem that is the beginning of a Linux Code Red
lookalike worm :(((( using that exploit, probably this is not the most
apropriate place to send this, but I'm not subscribed to the glibc
mailing list and I just hope that some glibc hackers are on linux kernel
list also and they see that and do something before we join the ranks of
M$.

		Dead worried,

		Mircea C.

P.S. Please tell me that I'm just being parnoid and that crap didn't
work on your systems with a lookalike configuration.

[-- Attachment #2: smile.sh --]
[-- Type: application/x-sh, Size: 1773 bytes --]