21
phorkyas
12d

"Linux is more secure." Put on your tin-foil hats. As you can:
>Root over 50% of linux servers you encounter in the wild with two easy scripts,
Linux_Exploit_Suggester [0], and unix-privesc-check [1].
(sauce: Phineas Phisher - http://pastebin.com/raw/cRYvK4jb)

Comments
  • 2
    That's actually pretty interesting and looks pretty dang easy
  • 27
    Just because Linux is more secure does not mean it prevents dumb admins from setting insecure and overused passwords
  • 16
    Don't confuse living in a bunker with leaving the door open. Linux is just a tool, it's up to the end user to set it up correctly. At least with open source systems you can see where the issue is and try to fix it, rather than have to pray that a single company didn't screw up in the dark.
  • 2
    “Cplusplus is a terrible language”
  • 2
    @aviophile obligatory: May I introduce you to Rust?
  • 0
    @fuckwit Now I almost feel like on HN ;-)
  • 0
    @kolaente That's not what these scripts are about. It's mostly about enumeration of services and files.

    (But I yet have to get used to using them. Like 14 yrs on Linux boxes, but never approached them as an attacker. - Now for the first time it really took some time to get a shell and not lose it - now I'm stuck at getting root, while other claimed it was a 30sec job.)
  • 2
    The main issue though is, that everyone thinks they set their system up properly and securely - yet almost nobody has.

    Ease of use can be a factor too. One can argue whether or not system A is more secure than system B, if at peak performance with the optimal setup system A outperforms system B in all aspects w.r.t. security, yet 90% of users "in the wild" run system A configurations that are inferior to system B configurations in the wild.

    This is an exaggeration obviously, the point is that the security discussion is mostly too black and white.
  • 1
    I do not trust someone who calls programs like nmap or sqlmap "hacking tools".

    Further, scanning all IP addresses found with nmap, or something else, will make all the alarm bells ring at the owners end. If it is a target worth attacking, it will most probably not run by idiots.

    Most sophisticated firewalls will block IP addresses that are caught port scanning anyway

    Further he gains access script kiddy style on a server set up by someone who hasn't got a clue what they are doing.

    The rooting and pivoting stuff, however, is really interesting!
  • 1
    @Yamakuzure Sure nmap can be quite "loud", that's why he says you need to take foreign/bought servers. Hide with tor and VPN.
    Don't want to try too hard convincing you the guy is the real deal,.. but consider he/she's fluent in at least three languages, two of his jobs even have Wikipedia articles *and he never got caught* despite pissing of a lot of people with connections to state affairs
  • 0
    @Maer Exactly. That's why a general statement like "A is more secure" eg. for A=Linux is just not helpful.
  • 1
    @Maer yeah, the user's preferences and customizations have a lot to do in system security. But that's a secondary problem IMO.

    But there are oh so many users who have no hugging idea how to do things right... so I'd like to mention a different problem:

    There are systems SysA, that should be configured to remain secure.
    And there are systems SysB, that should be configured to become secure.

    A granny might have a stock setup of SysB and only use it to read emails from her children. And yet she's a subject for SysB exploits. Whereas if she had SysB she'd have to deliberately make changes to make it insecure.

    Also, by "secure" I mean "secure enough". A complete 100% security is a pipe dream. It's like taking a walk in the forest and believing you won't get bit by mosquitos (SysB) and waiting for a bus in a middle of the city and hoing there will be no mosquitos (SysA).
  • 1
    As for OP, scripts did not show me any exploits on a stock Linux installation. The only thing the second script did show is a looong list of all my files and their permissions. Which is useless - I already know what permissions my files have...
    As for /proc contents' permissions, they are protected by kernel, since it is a virtual filesystem. I don't see the point for script#2...

    Seriously, what's the point of this warning?

    W: [privileged_writable] (running /home/netikras/bin/pingloss) /home/netikras/bin is owned by user netikras (YOU) (group netikras), non-root user (drwxr-xr-x)

    ??

    Is this a security issue? :D Ridiculous
  • 1
    @netikras My first reaction was similar. It's not that you push a button and your root shell pops up. It's just basic enumeration, gather as much as you can with commands as trivial as "ps aux | grep root", but they can give you hints.

    It's the first time I try it - no sysadmin nor pentester - and so I fail. There were like hundreds CVE for the vmware-tools and mysql on that Ubuntu 16.04 box, I tried. For the latter I found two I'd have to chain together (first to get mysql user, then root - but didn't work yet).

    For a stock desktop installation you'd probably not expect much to show up, but (real) server might be a different animal. Lots of services with elevated rights, that need constant patching, wrong directory ACL can already bite, etc.
  • 0
    Well, the whole article revolves around servers. User desktops are uninteresting anyway, as you don't get to them via their public IP anyway.
  • 1
    @phorkyas Yepp, I agree. Considering servers usually are running outdated SW versions this toolset might be handy to prepare for patching.

    P.S. wrong ACLs? Jesus Christ... ACLs should not be used at all. It's evil of the worst kind!
  • 0
    finally got root. schouldn't have taken so long..

    To take the attacker's point of view is really so different.
Your Job Suck?
Get a Better Job
Add Comment