Linux vulnerabilities

I read an article about OS's. Basically it was about Linux and Windows and stated that the only reason Linux is non-hackable is because most people use windows and all hackers are hacking windows. And that if you want to hack Linux you can easily do it if you know your stuff. What do you think of that?

Linux is most certainly NOT 'non-hackable', in fact, with the proliferation of default installs one will find spanning the Internet, it might even be easier.
Any OS that is not hardened by the administrator is an easy target -- well, any save for OpenBSD.

That does not, however, signify a "safe" system, should it be built by a capable admin. The box still requires updates and patches to remain current and therefore (relatively) vulnerability free.
I say that because ANY system can be hacked; the better you lock it down, the fewer people exist who are capable of such things.

I think what the author of that article meant was that due to a higher percentage of windows machines out there, you will see a higher ratio of Windows hacked, vs. Linux. This is true, to a certain extent. Windows has the highest market share for the desktop and with the expansion of broadband in the home, many more people are on all the time. This makes it easier to hunt down the low-hanging fruit; the Windows machines, slapped together by home users who know nothing about network security.

Crackers will always go after the easiest target.

Hence, more Windows machines get whacked.

Any operating system is only as secure as its users/administrators. Taking that into account many of the major distributions now come with services disabled out of the box rather than enabled. This is the case with Windows 2003 and Also many of the major linux distributions.

Take redhat 7.x for example. If you download the ISOs and install it you will probably only have about an hour before your system is cracked into. Same with a default windows 2000/3 server install.

Taking that into account many of the server manufacturers that ship preinstalled will automatically have the systems patched upto the latest versins. Redhat 7x is so old now if your installing it you have problems.

Linux is by no means more secure than windows out of the box however because you can have less services runnnin on a linux box than a windows box it makes it harder to break into when it is "secured". For example.. RPC iin windows is esential however with linux you dont have to have any rpc daemons running. The list goes on as well.

Take any security article with a pinch of salt.

http://forum.lucidnow.com/

every o/s has its security problems and a good hacker can get into any of them. I remember a short time ago getting into an arguement with a MAC head because he thought that since he had a mac there was no need for him to run anti-viruis or a firewall. But then again in the field I work in it is guys like that that keep me in business

anyway with that said, Windows is the most dominant o/s currently on the market, so it stands to reason that hackers and viruis writers are going to attack what most people have, I read an article not too long ago talking about how with the popularity boom Linux is having more virius' are being written for that, but it is still substantialy(sp?) less than what Windows has.

Also the way that Linux is setup makes it a bit harder for a virus to truly infect Linux. Not that it can't be, eventually something will come up.

However, because most users are generally discouraged to use their root account for normal activities, it's generally harder for a virus to wreak havoc among a system. It can probably wipe out all the users file, but the system will generally be left intact.

Also Linux itself is very different among machines with differences in distribution, and general system configuration. The ability to make a virus that can commonly affect a Linux system is thus more restricted.

All Windows boxes come with IE and thus a virus written for that has a better chance of spreading, the same of Outlook. However with linux there is a much bigger varierty of programs.

This does have it's disadvantages though. When a security patch is released there really is no central place to get all the patches. You either go find it among different webpages or you wait till it's included by your distribution.

Note however that this only applies to virii, hackers on the other hand are a totally different problem. A virus isn't determined, if your not affected by it your not affected by it. A hacker intent on getting into you system will work at it until he does find a flaw.

I am glad that Xel mentioned the "apples to oranges" difference with regard to hackers and virus writers in this thread; truly, they are two different animals.

There are a couple of misnomers however.

The "way in which linux is setup makes it harder to write viruses" is an incorrect statement. Actually, the composition of ELF binaries make it the most viable for the spread of viruses. (Side note: virii is not the plural of virus, it's viruses. For your edification).

The plain truth, at least for the moment why you do not see widespread panic amongst the Linux community with looting and rioting in the streets is simple; no one runs *nix as root. Remember that whoever infects a box, that infection has the permissions inherited by that user. If it's a standard user on a linux box... those are fairly slim -- even more so if the admin is worth his salt. Also, most *nix admins do not run un-trusted software... "golly, Bob's webserver is supposed to be a gazillion times faster than Apache and it's free. All I have to do is d/l it from http://www.virusesforfree.com/sucker.html and install it as root, according to Bob."

Yeah. Right.

So again, as Xel mentioned, userland procs cannot affect system procs.

That was simply for clarification.

While the different distributions all contain varied packages they have in common the Linux kernel -- that has it's own faults. Let's not forget the previously mentioned elf package binaries. While some packages will be different, others -- and more importantly, the most vulnerable -- will remain the same.

Uhm. I would say that if I was running SuSE Linux, I could fins all the patches I require (for kernel updates OR package fixes) at their website. in fact, that's where we get them.

In any case, there are quite a few viruses (as well as exploits) for Linux out there. The viruses exist as more of a 'proof of concept', than a plague per the aforementioned reasons. As for the exploits...well, those are heard of every single day. Some might say that it is the very fragmented nature Linux has, which is it's greatest detriment. Too many cooks in the fire, as it were. We were forced to go with a more stable Linux; Enterprise level. Less radical updates to the tree, everything checked before inclusion and the best part, smaller core team of developers. IMHO, it's that fact which increases the foundation and therefore stability of this product.

Cheers.

Running things as non-root doesn't always protect you though. A case in point is the Santy worm which nabbed one of my machines (and I've prided myself on being crack free since 1993) recently. My apache installation fires up as root (because it listens on port 80) and immediately switches to apache.apache. However, the santy worm breached the PHP software, downloaded scripts into /tmp and then proceeded to try to exploit a vulnerability in the kernel to gain root permissions and do whatever it liked. It would have worked too if I hadn't been on a more recent kernel (which does underline your 'admin is worth his salt' comment )

I noticed the machine behaving strangely while it was trying the various exploits and no doubt it would have succeeded wth something eventually.

There's so much more you need to do to make sure Linux isn't vulnerable than just running stuff as non root and userland procs certainly can affect system procs if the crack is done in the right way.

Of course, the best way to stay ahead is subscribe to Bugtraq at http://www.securityfocus.com and keep up to date with your patches, but as has been mentioned, even that on it's own is not going to be enough. Security of any box connected to the internet has to be a multipronged approach.

I always look at it this way; so long as my box is harder to crack than the guy's next door I'm probably safe

Unless I am mistaken, the Santy-FAM or Santy.A was an application layer exploit, found in phpBB making use of the highlight exploit. Technically, this is not a function of the Operating System, nor does it infect any core functionality of said operating system or it's processes.
It eventually overwrites the web files with "You have been defaced..." or something equally stimulating.

Again, I believe our specific thread involved the 'hackability' of Linux, which eventually led to the 'virus propagation possibilities within the Linux OS'.
When Oracle experiences a virus issue, we do not point the finger at Windows (or Solaris, et al). Likewise, if phpBB contains exploitable code, we cannot call that a 'Linux vulnerability'; given that phpBB is portable code which may be run on the Windows platform, should we also call this a Windows Virus?



You'll note, I did mention that the ELF binaries used by Linux are *easier* to write viruses for, so yes one must stay on top of their systems.
However, I know of no "crack" in which userland procs are manipulated in such a way to elevate a cracker to manage root level procs, or permit root level entry to said procs. I know of plenty which exploit vulnerabilities in present root level processes, but none which permit a userland process to alter in any way, shape or form a root proc. The owner of a running proc may re-nice the proc -- that is lower it's priority via higher value -- though only root user can manipulate the value to a higher (lower number) priority.
Remember, what we are talking about is running procs, not gaining access. We all know that it's possible to exploit a kernel bug to elevate the running user to root status; this is not the discussion at hand.

Hi DG - I was specifically responding to the part of your post;



The point I was trying to make was that you shouldn't assume that because your process is not running as root it therefore means it is safe. It is not safe if the rest of the box isn't properly looked after too.

Having said that I accept that isn't a virus - but I was led down the route of discussing that by the original question;



The problem with the Santy exploit is that although it exploited application layer, it could use that exploit to gain extra privileges and therefore run applications as root.

Of course, windows worms/viruses tend not to need to go through this process because in general the user is already a superuser anyway. But that's not a Windows vulnerability, that's a usage paradigm that ought to be changed.

I'm trying to remember the last time I got a virus anywhere near my windows system though... I've had plenty of worm intrusion attempts, trojan attempts, but can't remember the last virus I saw. The landscape has changed a little

I never stated a box was safe, because a process or processes do not run as root, what I stated was viruses require root and userland procs cannot elevate.

Exactly.



Specifically related to santy; negative. Santy.A, which was the most common, merely replaced webuser owned files.
santy.fam attempted to execute 3 distinct files; Troj/Shellbot-A, Troj/Termapp-A or Troj/Sown-A. The first opened a channel to IRC which accepted operations. Operations which could be used in DDoS efforts, but again, as userland. The second creates a password protected command shell at the userland level. The last overwrites all files named index.* in the /home dir with some nonsense about "spykids, blah blah"; again, userland.
In no instance does the exploit run any instance as 'root'.


Generally speaking, you're right. Though, I would argue that process escalation is much more easily accomplished in Windows.


Likewise. Though, I did see many attempts when I worked with the DoD.

Cheers.

Perhaps it wasn't Santy I got hit with. It had downloaded (and compiled!) code which when I read through and with the assistance of my old pal Google was designed to take advantage of a stack smashing flaw in older linux kernels to gain root privileges which was then used to call bash and accept outside connections with no password. Clearly if it had achieved that my machine would have been totally compromised. I believe the originator of the download was through the use of Shellbot (hence why I arrived at the conclusion that it was some variant of Santy at least - though there was a PHP flaw around at the time that could just as easily have been the culprit I must admit).

I learned a lot that day My /tmp is now mounted noexec, my wget is hidden elsewhere and I'm on latest PHP and phpBB Not to mention I'm off RH9 and onto Fedora 2.

Nonetheless I suspect we're wandering a bit off topic here now so I shall shut up

duude.. you worked with the DoD?? hah..that is so hard core..

I'm not a genious or anything about hacking or anything but I really want revenge on a company called Jagex. They run a game called RuneScape. These morons running it are the one reason why I am poor. I got hacked because someone got on their system and I want revenge since they are blaming the hacking on me. So if any of you could help me in anyway possible I would appreciate it. Links, diagrams, tutorials, etc.

sorry but this isn't a forum that promotes hacking.

I'm sure someone could help me.