Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: !SPAM! [Full-Disclosure] Automated ssh scanning

from [Ron DuFresne] Network Security [Permanent Link]
Subject: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
Date: Thu, 26 Aug 2004 15:25:58 -0500 (CDT) 
On Thu, 26 Aug 2004, Stephen Agar wrote:


Somehow, this message got to me before Ron's reply did, so I will respond to
both inline.

On Thu, 26 Aug 2004 12:26:04 -0500 (CDT), Ron DuFresne
<dufresne@winternet.com> wrote:

On Thu, 26 Aug 2004, Stephen Agar wrote:


I think many of you are missing the point. Yes the guest/guest
account is weak, but this kernel is (according to debian)
patched..therefore free from local exploits that can be

used to gain

superuser access. I mean if this were the case, then any box that
ran this version of debian to do something like "web

hosting" that

gave users shell access, may as well give them all full sudo.
Because you people are assuming that if someone can gain

access to the box, secured or not, they can gain root..i disagree.



The issue here is why does debain include such a weak

account,m thaqt

has not been tamed via a very restricted chroot env!?


That is one issue, but given that I haven't installed debian in years, I
can't really answer it. However, I don't think it's the "main" issue. The
main issue to me is, if I do install debian, and give an account to a friend
(albeit not a trusted friend), do I have to worry about a "fully patched"
box still getting rooted via a local exploit?




most likely.




That's not the issue though.  As someone who has installed
and maintained debian systems over a period of years, I can
assure you that debian does not include a guest account (or
any account) with a weak password or shell.

There aren't any shell accounts other than root on a debian
install until added by the administrator.

The weak account in question here was created by the original
poster with the intent of catching one of these apparently
automated ssh attacks.


If he did create those accounts himself for "honeypot" purposes, and this
isnt default on that debian install then it has shown us all something. It
has opened the flood gates for discussion about local exploits in that
particular install, that we would assume were patched (unless they are
undisclosed vulns..but do we really think the script kiddies have that many
0day exploits...yikes!)




how many times in the last year has kde or gnome been patched to deal
with a particular security issue?  How about the kernel?  apache?
openssl?  etc..., now consider what one poster said a few replies back
about there being undisclosed holes in merely the kernel for linux, then
reconsider his statements inline with all the packages installed in a
desktop, server etc offered by the various dists setups...


Now to tweak the issues tightly into mind, look at how many updated RPM's
or DBM's or what yer fav dist formats it's packages and understand, the
vast majority of those updated packages are there because they addressed
security issues from this and the various other lists on the topic...


Then, take a deep breath so as to not turn purple once you have taken this
in....




As Barry pointed to directly, it all depends upon what you make
available to your clients once in a shell.  It;s very likely your
server would be as exploitable as most 'default' installs

with the kitchen sink dropped in.

Perhaps not, but likely, depending upon what you 'installed

and allow

clients access to'.

Thanks,

Ron DuFresne


I agree, if this was a production box...then any shell account I had would
either be set up for something like "scp only" for a "web host", or jailed
very tightly..along with every other service running on the box. I was just
saying, that if I install my box, and apply every available patch, I would
expect it to be free of local exploits as well as remote ones.




Unless you know and trust all the folks you share shells with on the net,
be concerned.

expect nothing, you now have a clue.  Oh, and understand, even the pay
large sums vendors face the same issues, hp, solaris, sgi, etc, same
issues.  Make  all choices carefully with full awareness of the
consquences of the choices you make.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re [Full-Disclosure] Automated ssh scanning, Mister Coffee
Next by Date:  Re: [Full-Disclosure] Automated ssh scanning, Valdis . Kletnieks
Previous by Thread:  RE: !SPAM! [Full-Disclosure] Automated ssh scanning, Stephen Agar
Next by Thread:  RE: !SPAM! [Full-Disclosure] Automated ssh scanning, Stephen Agar
Indexes:  [Date] [Thread] [Top] [All Lists]