Re: Advisory Day!

[Tiago Assumpção <module () whatever org ar>]

Dude, your philosophical question makes me to remember a case...

It was an audit over this famous appliance (of which I should not mention 
the name
for ethical reasons) a client was about to pay for. The rules were quite 
simple:
get into, remotely.
I still remember pluging in a vga monitor and watching out the boot process 
with
anakata.
No IP address was given, just one supposed account for having a read-only 
access
to their system management software running over https.
Thanks god it had an IP address assigned, but the account didn't work.

The always good by-hand brute-force was quite useful -- admin:netscreen 
(errrmm).
From that time on nahual found out that their CGI programs were actually 
executing
commands by GET requests. Yes, that's a really gross one.
A simple set of those commands allowed us to find out that /bin/shell was 
there, even
though uploading one wouldn't be hard task.
After this, uploading netcat (yes they had lynx) and popping up this shell 
wasn't
difficult either.

So we were in. First look around and we realize that was a simple Linux 
2.4.old_release
with a, errrm, let's say different, kernel revision tag (maybe their system 
changes
isn't more than manipulating the original source code to make the version 
strings
look fancy). But yes, was the old and good Linux kernel with some good 
local root
"features".

I remember they didn't have GCC, but had the rest of the toolchain kit, 
including
full header collection -- was this an attempt to achieve security? Yet no 
problem,
building up random public exploit and uploading (and loading) the program 
was simple.

Ok, we've got that holly access. After this, nahual still wanted more and 
triggered
John the Ripper trying to figure out the root password (I think it's always 
nice to tell the
clients their passwords even after full access). After so many (good) 
surprises a new one
was yet unexpected! root:abc123

I don't really know what happened when the client got our response, but no 
matter what
this was such a classical hack, as fun as it could be! I miss those times :(

By the end your philosophy helps people to remind that so many high-cost 
(someone said
this applience had the price ~$20k) cutting edge technologies will always 
get a trip at the
very axiomatic points.


As to remember our weakness:

- David Hilbert
- Kurt Godel (probably the most valuable accommodate ever been in Hilbert's 
Hotel)
- "Uber formal unentscheidbare Satze der Principia Mathematica und 
verwandter Systeme" [Godel31]

--
                   Tiago Assumpcao

                module () whatever org ar
               7D9A A6BA 8275 964E EF47
               EE5A 7AFF C759 B578 ACAA
     http://whatever.org.ar/~module [/myself.asc]





At 16:35 3/3/2004, you wrote:
> At 02:12 PM 3/3/2004 -0500, Dave Aitel wrote:
>
> >Yes, it's time for another "advisory". As I don't believe advisories
> >really accomplish anything
>
> Well, for one thing, if you point out you do in fact know how
> to issue advisories it might help get companies listen when
> you file bug reports.  Might, of course.
>
> > RealSecure, NAI, etc - do bugs in security
> >software products make everyone else laugh?
>
> Well, one certainly wonders what they do with all that
> bloody scanning kit if they don't run it against their own gear.
> I assume all of EEye's products are being scanned at the submolecular
> level by vast teams in suburban Atlanta, as we speak ;-)
>
> Philosophical question:
>
>   suppose a box ships with no shell access by default, but with
>   a linux kernel and a shell installed, and with a mechanism available
>   to get to the shell.  Are local shell-based exploits then a realistic
>   attack path?
>
> I think that, if the vendor shipped BASH on the box, then someone, someday,
> is going to run BASH.  I think that's the line.  If you don't want people
> running a shell, ever, then don't ship a shell.
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave