[oclug]Pimpin' Linux

[Strosberg, Bill]

> From: Ian Wormsbecker [mailto:i.wormsbecker at uleth.ca]
> 
> In all fairness, I think the same could be said for Windows. The most 
> frequently installed Linux distributions install all kinds of 
> crud that can 

This goes without saying.  The real world issue with this is that most
people operating systems are NOT competent admins, and the "ease of use bar"
being somewhat higher in Linux, has the consequences of making the average
Internet-connected Linux box a tougher target that the average
Internet-connected Windows box.  The open source world _seems_ to be more
aware of vulnerabilities due to peer pressure, community communication like
this and "geek chick".

> 
> I don't understand what you mean by an 'exploit count'. My 
> opinion, and from 

exploit count = number of times a given vulnerability is actually exploited
on different Internet connected hosts
i.e.	
-	IIS Unicode exploit - is ONE vulnerability exploited millions of
times
-	Linux Lion work - is ONE vulnerability exploited thousands of times

My point here is that one vulnerability was exploited successfully on an
order of magnitude greater quantity of systems than the other. In reality,
when measured against installed base, actual exploits-per-OS-installed are
probably higher for Linux than Windows, as Linux system operators are
running more sophisticated server applications than the average Windows
user.

More Windows installed = more exploits successful

> what I have seen in practice, is that if there is a 
> vulnerability there will 
> be an exploit. If there are the same number of 

I disagree.  X vulnerabilities != X exploits

Because there is the potential to exploit something ("a vulnerability"),
doesn't mean that it will be exploited.  Only useful vulnerabilities are
usually exploited - i.e. those with the potential for priviledge elevation,
those which can be used to run shellcode etc. Of a lesser value is those
potential exploits which restrict or inhibit proper function of a system aka
DOS attacks - they do nothing of value to the attacker other than prevent
the defending system from full function.  A data segment blown pointer is a
vulnerability as it may corrupt other data, but it isn't a code segment or
stack type problem where the execution pointer can be manipulated into
running arbitrary code.

Attackers typically go for the lowest hanging fruit on the tree, and only
exploit difficult or new vulnerabilities when all other "easier" attacks
fail.  Security researchers however, try everything to get their name on
Bugtraq, finding "vulnerabilities" that aren't worth exploiting, just to
have published a vulnerability.  You have to look deeper into the potential
problems caused by a vulnerability to determine it's exploit potential.  I
would hazard a guess that many security researchers are well funded to
determine Linux and open source vulnerabilities - it's nothing more than
good, effective and cheap marketing on the part of the proprietary systems
vendors.

> vulnerabilities on Windows as 
> Linux then it is a safe bet that there are the same number of 
> exploits. 
> Actual machines that have been exploited may be different, 
> but I am not sure 
> how one would be able to quantify that.
> 
> > Here are some of my thoughts:
> >
> > i)	vulnerabilities != exploits successfully executed
> 
> I disagree. See above

I think I have explained my position more clearly, which makes my above
point correct.

> 
> > ii)	publicly disclosed vulnerabilties per platform != 
> vulnerabilities
> > per platform
> 
> Agreed.
> 
> > iii)	impact per vulnerability is not quantified in statistics
> 
> Agreed. Is increasing privileges the same as all out admin 
> access? Is deleting 
> mail as bad as deleting user accounts? etc... Difficult to 
> quantify these 
> things, although I would imagine there are researchers 
> working on this stuff.
> 
> > iv)	O/S vulnerabilities != application vulnerabilities
> 
> True, but either way if you are running a vulnerable OS or a 
> vulnerable 
> application, you are still at risk.

Not necessarily.  An application running in user-space is inherently less
vulnerable than one running with root priviledges, or an operating system
process.  As there is executing binary code, and an execution pointer that
could be misdirected the risk is still there, bur the quantifial amount of
risk is less, as they then have to elevate priviledges to do greater harm.

> 
> I guess the gist of my post is that just because an exploit 
> isn't posted to 
> bugtraq or someone tells you 'this can not be exploited' 
> doesn't mean there 
> isn't an exploit out there. From what I have seen, it is the 
> exact opposite. 
> The instances where people say 'this cannot be exploited' 
> just encourage 
> those capable of writing exploit code to work even harder at 
> exploiting it. 
> From what I have seen they always succeed.

We only see the successes, therefore we perceive 100% success rate.  I'd
imagine that exploit coders are mortals and create for more failures than
successes.  We just don't see their mistakes!

--
Bill Strosberg, CISSP