Vulnerability Development mailing list archives
Re: Kill the DOG and win 100 000 DM
From: Jay Tribick <jay.tribick () CARRIER1 NET>
Date: Mon, 6 Nov 2000 01:38:45 +0000
Hi,
The version that they release for free (PitBull Foundation MU 3.0) installs only on a particular releases of Solaris 7 - 10/98 and 8/99 inclusive - which, IIRC, corresponds to stock Sol 7 as first shipped through to MU3 of Sol 7. If you install MU 4, or, God forbid, roll on 7_Recommended, you will end up with having to wade through pages and pages of patch compatability information to identify if the patch in a particular revision as you installed it is compatable, or not.
Actually the easiest way to do it without wading through the compatibility list is to put the patch(es) on first, and then install Pitbull on top (the Pitbull installation is set of kernel + user level patches and can be installed on an already running system.)
This leads me to believe that some of the exploits might still be possible on a stock install of free PBF MU 3.0 if it is installed according to the 6 double paged installation guide provided on teh web site - libc and ttdb and comsat exploits in particular.
Absolutely - but trusted operating systems aren't cheap, and if the SAs were clueless he/she wouldn't have deployed it in the first place. To a certain extent.. you're paying for obscurity :) I would hope that any SA who's using Pitbull in a commercial environment is already well aware of both the common exploits that are out there, and that a system doesn't come secure out-of-the-box. Pitbull is a means to an end, as is any trusted operating system - it's up to the admin to be competent enough to secure the box itself, and to be able to configure all the different aspects/features that the TOS brings to the table. A TOS is a tool, it allows you to enforce pretty much any security policy you want to enforce - but you have to have that policy clearly defined, and you have to know the operating system inside-out... if you're security policies non-existent, or you expect to be able to install it and say "ok, this host is secure now" then Pitbull isn't the answer.
Of course PitBull does provide the patch cluster with their patches integrated, but I were not cool enough to have a valid username/password pair for the support section on the commercial Argus site to download them.
I think the argus revolution site is there to promote Pitbull to people who otherwise wouldn't have access to this kind of OS, and for us admins who get bored and want to play with something new.. in the hope that we one day will find a commercial use for it and buy it.
root password is rather useless to give out as even stock Solaris will not let one to log in over the network as user, same thing is for isso/sa/so users on PBF MU 3.0, and it's unlikely that there will be any other accounts.
root doesn't actually have any privileges on a Pitbull system.. he's just a normal user (out of the box..)
But such publicity stunts are always useful. You get free media exposure for spending the premium on the insurance (if insured), or DM100,000 * probability of hack.As it stands now, the contest is rather rigged, as while the Argus engineers who configured the system do understand the differences in priviledges between isso, sa, root and so users that PitBull needs, it is unlikely that this and other security concepts will be fully grasped by an average SA deploying the B2 level system, and misconfigured system will end up providing fake security.
If you're going to the trouble of deploying B-level TOSs in a critical or at least security aware environment it's not something you do overnight.. to their credit, Argus do provide full training on the system, and they do help you through the installation and make sure that the security policies you want to enforce are ported to the system and working correctly. ..if anyone would like Jeff Thompsons talk from Defcon 7 on "Hacking B1 Trusted Operating Systems", send me an email and I'll put it up somewhere. -- Regards, Jay Tribick Senior Systems Engineer Carrier1 Voice: +44 207 531 3874
Current thread:
- Kill the DOG and win 100 000 DM Pluym Christian (Nov 05)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 05)
- Re: Kill the DOG and win 100 000 DM Steve (Nov 05)
- Re: Kill the DOG and win 100 000 DM Talisker (Nov 05)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 06)
- Re: Kill the DOG and win 100 000 DM //Stany (Nov 06)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 06)
- Re: Kill the DOG and win 100 000 DM //Stany (Nov 06)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 07)
- Re: Kill the DOG and win 100 000 DM ratz (Nov 07)
- Message not available
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 07)
- Re: Kill the DOG and win 100 000 DM Sven van 't Veer (Nov 07)
- Message not available
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 07)
- Re: Kill the DOG and win 100 000 DM Talisker (Nov 05)
- <Possible follow-ups>
- Re: Kill the DOG and win 100 000 DM Shawn Badolian (Nov 07)
- Re: Kill the DOG and win 100 000 DM Ken Pfeil (Nov 07)
- Re: Kill the DOG and win 100 000 DM John Herron (Nov 07)