Re: Debian.org Hacked
For those who missed it, the Debian machines were hacked because of a combination of a sniffed password and a local root exploit. The hole is believed to be only locally exploitable, not remotely. More details on this exploit are at http://isec.pl/vulnerabilities/isec-0012-do_brk.txt Among other things, it says that: Impact: === Successful exploitation of do_brk() leads to full compromise of vulnerable system, including gaining full uid 0 privileges, possibility of kernel code and data structures modification as well as kernel-level (ring0) code execution. Tested and successfully exploited kernel versions include: o 2.4.20-18.9 as shipped with RedHat 9.0 o 2.4.22 (vanila) o 2.4.22 with grsecurity patch There is no known reliable workaround for this vulnerability. We recommend upgrading to the most recent kernel version (so far the 2.4.23 kernel) on all vulnerable systems. As an aside, I wonder how many people here are using Linux to grant other people full shell account? How many full shell users do they have? -- If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw (sent by shaulk @ actcom . net . il) = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked
the CNet article summarizing it: http://news.com.com/2100-7344_3-5112427.html?tag=nefd_top Shaul Karl wrote: For those who missed it, the Debian machines were hacked because of a combination of a sniffed password and a local root exploit. The hole is believed to be only locally exploitable, not remotely. More details on this exploit are at http://isec.pl/vulnerabilities/isec-0012-do_brk.txt Among other things, it says that: Impact: === Successful exploitation of do_brk() leads to full compromise of vulnerable system, including gaining full uid 0 privileges, possibility of kernel code and data structures modification as well as kernel-level (ring0) code execution. Tested and successfully exploited kernel versions include: o 2.4.20-18.9 as shipped with RedHat 9.0 o 2.4.22 (vanila) o 2.4.22 with grsecurity patch There is no known reliable workaround for this vulnerability. We recommend upgrading to the most recent kernel version (so far the 2.4.23 kernel) on all vulnerable systems. As an aside, I wonder how many people here are using Linux to grant other people full shell account? How many full shell users do they have? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked
The Debian Projecthttp://www.debian.org/ Debian Investigation Report [EMAIL PROTECTED] December 2nd, 2003 Debian Investigation Report after Server Compromises The Debian administration team and security experts are finally able to pinpoint the method used to break-in into four project machines. However, the person who did this has not yet been uncovered. The package archives were not altered by the intruder. The Debian administration and security teams have checked these archives (security, us, non-us) quite early on in the investigation and re-installation process. That's why the project was able to open up the security archive again and confirm that the stable update (3.0r2) wasn't compromised. If the project had anticipated to get compromised at the same time the stable update was implemented, the involved people would have postponed it. However, the updated packages were already installed in the stable archive and mirror servers at the time the break-ins were discovered, so it wasn't possible to hold it back anymore. Several methods based on different control data were used to verify the packages and to ensure that the archives weren't altered by the attacker: . externally stored lists of MD5 sums accumulated over the past weeks on not compromised machines . digitally signed .changes files from external debian-devel-changes archives on not compromised machines . digitally signed .changes files on the respective archive servers . externally stored mirror log files Timeline Below is the timeline of discovery and recovery of the compromised machines. All times are in UTC. Some times are only estimates since our conversation did not contain exact timestamps. Sep 28 01:33 Linus Torvalds releases 2.6.0-test6 with do_brk() fix Oct 02 05:18 Marcello Tosatti applies do_brk() boundary check Nov 19 17:00 Attacker logs into klecker with sniffed password Nov 19 17:08 Root-kit installed on klecker Nov 19 17:20 Attacker logs into master with same sniffed password Nov 19 17:47 Root-kit installed on master Nov 19 18:30 Attacker logs into murphy with service account from master Nov 19 18:35 Root-kit installed on murphy Nov 19 19:25 Oopses on murphy start Nov 20 05:38 Oopses on master start Nov 20 20:00 Discovery of Oopses on master and murphy Nov 20 20:54 Root-kit installed on gluck Nov 20 22:00 Confirmation that debian.org was compromised Nov 21 00:00 Deactivation of all accounts Nov 21 00:34 Shut down security.debian.org Nov 21 04:00 Shut down gluck (www, cvs, people, ddtp) Nov 21 08:30 Point www.debian.org to www.de.debian.org Nov 21 10:45 Public announcement Nov 21 16:47 Developer information updated Nov 21 17:10 Shut down murphy (lists) Nov 22 02:41 security.debian.org is back online Nov 25 07:40 lists.debian.org is back online Nov 28 22:39 Linux 2.4.23 released Discovery On the evening (GMT) of Thursday, November 20th, the admin team noticed several kernel oopses on master. Since that system was running without problems for a long time, the system was about to be taken into maintenance for deeper investigation of potential hardware problems. However, at the same time, a second machine, murphy, was experiencing exactly the same problems, which made the admins suspicious. Also, klecker, murphy and gluck have Advanced Intrusion Detection Environment (package aide) installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had been replaced and that the mtime and ctime values for /usr/lib/locale/en_US had changed. Further investigation revealed the cause for both these problems to be the SucKIT root-kit. It includes password sniffing and detection evasion capabilities (i.e. tools to hide processes and files) which are installed directly into the kernel, which in turn caused the oopses that were noticed. Detailed Attack Analysis On Wednesday, November 19th, at approximately 5pm GMT, a sniffed password was used to log into an unprivileged developer account on the host klecker (.debian.org). The attacker then retrieved the source code through HTTP for an (at that time) unknown local kernel exploit and gained root permissions via this exploit. Afterwards, the SucKIT root-kit was installed. The same account and password data were then used to log into the machine master, to gain root permissions with the same exploit and also to install the SucKIT root-kit. The attacker then tried to get access to the host murphy with the same account. This failed because murphy is a restricted machine and its only purpose is to act as list server to which only a small subset of developers can log into. Since the initial login attempt didn't work the person used his root access on
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
On Mon, Nov 24, 2003 at 11:38:04AM +0200, Muli Ben-Yehuda wrote: On Mon, Nov 24, 2003 at 10:49:43AM +0200, Maxim Kovgan wrote: On Sun, 23 Nov 2003, Noam Rathaus wrote: hi Noam! it is great you've brought up the subject, and if u find more info on what exactly was there, please post it on here. Some preliminary conclusions are at http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200311/msg00012.html Do notice the disclaimer at the beginning of that message. Bottom line of that report, as I understand it: 1. A sniffed password was used to access an (unprivileged) account on one machine. 2. At the time of the posting, the writer believes there is as of yet an unknown local root exploit used to go from having local unprivileged access to having root. This exploit was used to gain access to other machines. 3. A flaw in the kernel code of the Suckit rootkit that was installed and the aide monitor tool exposed the intrusion. -- If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw (sent by shaulk @ actcom . net . il) = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
The kernel oops made them suspicions since it occurred in two servers. Notice that they saw the init change though other tools. Regards, Lior Kaplan [EMAIL PROTECTED] http://www.Guides.co.il Come to write at the forums: http://www.guides.co.il/forums - Original Message - From: Shaul Karl [EMAIL PROTECTED] To: Maxim Kovgan [EMAIL PROTECTED] Cc: Linux-IL Mailing List [EMAIL PROTECTED] Sent: Saturday, November 29, 2003 3:00 AM Subject: Re: Debian.org Hacked... How far was it from apt-get installing Trojans? On Mon, Nov 24, 2003 at 11:38:04AM +0200, Muli Ben-Yehuda wrote: On Mon, Nov 24, 2003 at 10:49:43AM +0200, Maxim Kovgan wrote: On Sun, 23 Nov 2003, Noam Rathaus wrote: hi Noam! it is great you've brought up the subject, and if u find more info on what exactly was there, please post it on here. Some preliminary conclusions are at http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200 311/msg00012.html Do notice the disclaimer at the beginning of that message. Bottom line of that report, as I understand it: 1. A sniffed password was used to access an (unprivileged) account on one machine. 2. At the time of the posting, the writer believes there is as of yet an unknown local root exploit used to go from having local unprivileged access to having root. This exploit was used to gain access to other machines. 3. A flaw in the kernel code of the Suckit rootkit that was installed and the aide monitor tool exposed the intrusion. -- If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw (sent by shaulk @ actcom . net . il) = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
On Sun, 23 Nov 2003, Noam Rathaus wrote: hi Noam! it is great you've brought up the subject, and if u find more info on what exactly was there, please post it on here. and there is always a danger that some malicious submitter submits a package to rpm/deb/tgz database with a trojan. as well as microsoft update with another trojan ... so what is the idea of adding the sentense after how far was it from i guess it was not far. but let us not become populists :) it is known to any security professional: information security is a matter of risks vs. resources vs. chances considerations. so there is always a chance that even your compiler adds to any of your programs with socket.h additional little binary tcp server that spawns only at certain twilight hours :) and it is close. how often do you dissassemble your compiled code ? just fyi: security.debian.org was never compromised until now. and the only time it was down - was because the building it was in caught fire. Thanks. Max. Hi, I was wondering if Debian.org was hacked, how far was I as a simple user doing routinely apt-get update followed by apt-get upgrade (on the stable Debian) from getting my system Trojaned? Or as an advanced user doing the same on the unstable packages? Thanks Noam Rathaus CTO Beyond Security Ltd. http://www.securiteam.com To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
Maxim Kovgan wrote: how often do you dissassemble your compiled code ? According to the following, even dissassemling your compiled code won't be trusty because how can you trust your dissassembler that it wasn't trojan'ed to hide the melicious code? http://www.acm.org/classics/sep95/ Excellent reading... (See after figure 5 if you are too impatient to read the whole thing). --Amos = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
On Mon, Nov 24, 2003 at 10:49:43AM +0200, Maxim Kovgan wrote: On Sun, 23 Nov 2003, Noam Rathaus wrote: hi Noam! it is great you've brought up the subject, and if u find more info on what exactly was there, please post it on here. This link has surfaced lately: http://www.wiggy.net/debian/ how often do you dissassemble your compiled code ? reflections on trusting trust. Google has the link. Cheers, Muli -- Muli Ben-Yehuda http://www.mulix.org | http://mulix.livejournal.com/ the nucleus of linux oscillates my world - [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
Muli Ben-Yehuda wrote: On Mon, Nov 24, 2003 at 10:49:43AM +0200, Maxim Kovgan wrote: On Sun, 23 Nov 2003, Noam Rathaus wrote: hi Noam! it is great you've brought up the subject, and if u find more info on what exactly was there, please post it on here. This link has surfaced lately: http://www.wiggy.net/debian/ Goody... They keep recommanding chkrootkit. I got the impression that chkrootkit is considered too untrusty to relay on, what do the experts in this forum say? how often do you dissassemble your compiled code ? reflections on trusting trust. Google has the link. Funny I though exactly about the same thing :) That's the link I sent previously. --Amos = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
[EMAIL PROTECTED] wrote: Maxim Kovgan wrote: how often do you dissassemble your compiled code ? According to the following, even dissassemling your compiled code won't be trusty because how can you trust your dissassembler that it wasn't trojan'ed to hide the melicious code? http://www.acm.org/classics/sep95/ Excellent reading... (See after figure 5 if you are too impatient to read the whole thing). Actually, that only talks about the compiler being trojaned. It talks about having the source as not being good enough. In essence, the lower down your inspection tools, the less likely they are to be trojaned. A compiler is fairly unlikely to be trojaned. Three compilers from different vendors are even less likely. If you worry about gcc being trojaned in this way, download the sources, and compile a native version for Solaris using Sun's compiler. Then take the resulting gcc compiler and use is to cross-compile a Linux x86 version. This will all but eliminate the chances that you will end up with a trojaned binary (with a trojan that does not appear in the source, that is). I believe you will find that trojaning a disassembler will be a tougher job (unless it's a pretty high level disassmbler, such as IDA Pro, that has a good idea of the program structure anyways). Trojaning a CPU is all but impossible without making the CPU 5 times as expensive. The more faraway the trojaning action is from what the tool is doing anyways, the more costly (in development, size of code and sillicon) it is to put the trojan in. Shachar -- Shachar Shemesh Open Source integration consulting Home page resume - http://www.shemesh.biz/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Debian.org Hacked... How far was it from apt-get installing Trojans?
Hi, I was wondering if Debian.org was hacked, how far was I as a simple user doing routinely apt-get update followed by apt-get upgrade (on the stable Debian) from getting my system Trojaned? Or as an advanced user doing the same on the unstable packages? Thanks Noam Rathaus CTO Beyond Security Ltd. http://www.securiteam.com To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
On Sun, Nov 23, 2003 at 01:25:01PM +0200, Noam Rathaus wrote: Hi, I was wondering if Debian.org was hacked, how far was I as a simple user doing routinely apt-get update followed by apt-get upgrade (oan the stable Debian) from getting my system Trojaned? Or as an advanced user doing the same on the unstable packages? The debian advisory was very explicit that the archive was never compromised. I haven't heard any more details, but I'd love to hear how the break in occured and what where there trust relationships between the broken-into machines and the archive machines. Cheers, Muli -- Muli Ben-Yehuda http://www.mulix.org | http://mulix.livejournal.com/ the nucleus of linux oscillates my world - [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
Muli Ben-Yehuda wrote: The debian advisory was very explicit that the archive was never compromised. I haven't heard any more details, but I'd love to hear how the break in occured and what where there trust relationships between the broken-into machines and the archive machines. And how are they so sure that the archive machines weren't compromised? I understand how they can check the integrity of the archives (MD5 sums), but what tools and procedure do they use for the rest of the system? Tripwire with some unwritable media for checksums? Something else? Cheers, Muli Cheers, Amos (a user of a very stable unstable debian) = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
Noam Rathaus wrote: Hi, I was wondering if Debian.org was hacked, how far was I as a simple user doing routinely apt-get update followed by apt-get upgrade (on the stable Debian) from getting my system Trojaned? Or as an advanced user doing the same on the unstable packages? Thanks Noam Rathaus CTO Beyond Security Ltd. http://www.securiteam.com The debian DEB files are gpg signed by debian mainteners. The list of maintainers is also maintained in a (signed) package called debian-keyring. In theory, this means that getting root on the primary mirror will not allow you to trojan Debian machines. So far for the theory. In practice, I'm not sure whether the mechanism for checking these signatures is easilly installable. As such, it is likely that many, if not most, Debian installations do not, in fact, verify signatures against the debian-keyring. Also bear in mind that anyone from this ring can, in theory, trojan the distro once they take over the servers. Then again, they can also do that anyways by trojaning their own binary. Also, we will all know who that maintainer was. Last - a correction for Muli. While the main distro site was not broken into, the security and non-us sites were. Apparently, non of the packages were tampered with, but the actual servers holding the packages were, in fact, broken into. -- Shachar Shemesh Open Source integration consulting Home page resume - http://www.shemesh.biz/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
Shachar Shemesh wrote: So far for the theory. In practice, I'm not sure whether the mechanism for checking these signatures is easilly installable. As such, it is likely that many, if not most, Debian installations do not, in fact, verify signatures against the debian-keyring. I was wondering about this once - it seems pretty amazing to me that such a hackers distro won't implement PGP signature checking on packages as part of the installation process - doesn't even RH do that in up2date and its ilks? It sounds from they way you put things that it's far from trivial - but is it possible at all to integrate PGP signature checking with the apt install process? Cheers, --Amos = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Debian.org Hacked... How far was it from apt-get installing Trojans?
On Sun, Nov 23, 2003 at 02:36:46PM +0200, Shachar Shemesh wrote: Last - a correction for Muli. While the main distro site was not broken into, the security and non-us sites were. Apparently, non of the packages were tampered with, but the actual servers holding the packages were, in fact, broken into. I said: The debian advisory was very explicit that the archive was never compromised. The advisory says: The archive is not affected by this compromise! archive in the sense of the packages, not in the sense of the archive machines. Cheers, Muli -- Muli Ben-Yehuda http://www.mulix.org | http://mulix.livejournal.com/ the nucleus of linux oscillates my world - [EMAIL PROTECTED] signature.asc Description: Digital signature