[oclug]Pimpin' Linux

[Ian Wormsbecker]

On January 22, 2003 02:38 pm, Strosberg, Bill wrote:
>
> exploit count = number of times a given vulnerability is actually exploited
> on different Internet connected hosts

OK.

> i.e.
> -	IIS Unicode exploit - is ONE vulnerability exploited millions of
> times
> -	Linux Lion work - is ONE vulnerability exploited thousands of times
>
> My point here is that one vulnerability was exploited successfully on an
> order of magnitude greater quantity of systems than the other. In reality,
> when measured against installed base, actual exploits-per-OS-installed are
> probably higher for Linux than Windows, as Linux system operators are
> running more sophisticated server applications than the average Windows
> user.

I will have to think about this a little more. I think sophistication level is 
a difficult issue to add to the discussion and even more difficult to 
quantify.

>
> More Windows installed = more exploits successful
>
> > what I have seen in practice, is that if there is a
> > vulnerability there will
> > be an exploit. If there are the same number of
>
> I disagree.  X vulnerabilities != X exploits
>
> Because there is the potential to exploit something ("a vulnerability"),
> doesn't mean that it will be exploited.  Only useful vulnerabilities are
> usually exploited - i.e. those with the potential for priviledge elevation,
> those which can be used to run shellcode etc. Of a lesser value is those
> potential exploits which restrict or inhibit proper function of a system
> aka DOS attacks - they do nothing of value to the attacker other than
> prevent the defending system from full function.  A data segment blown
> pointer is a vulnerability as it may corrupt other data, but it isn't a
> code segment or stack type problem where the execution pointer can be
> manipulated into running arbitrary code.
>

I have to disagree with this still.  If there is any vulnerability found, 
people will write exploit code for it, whether it is a DOS attack or 
privilege elevation. Just becaues it doesn't come across Bugtraq doesn't mean 
it hasn't been written. Bugtraq, and most other security mailing lists, see 
but a small fraction of the actual exploit code out there.

There are plenty of exploits floating around for DOS attacks. In the script 
kiddie world, causing someones machine to not work is as good as getting root 
for the most part. I am sure Ebay and the like were not too keen when Mafia 
Boy made them look silly for a few days. DOS attacks are a large threat to 
business. Almost more so than people wandering in their network. Businesses 
can deny that they leaked information, but have a hard time explaining why 
people were not able to send them email or purchase products off their 
website for a week. I think you underestimate the power of DOS attacks on the 
internet today. I agree that they are childish, but they are defintely a 
threat.

> Attackers typically go for the lowest hanging fruit on the tree, and only
> exploit difficult or new vulnerabilities when all other "easier" attacks
> fail.  Security researchers however, try everything to get their name on
> Bugtraq, finding "vulnerabilities" that aren't worth exploiting, just to
> have published a vulnerability.  You have to look deeper into the potential
> problems caused by a vulnerability to determine it's exploit potential.  I
> would hazard a guess that many security researchers are well funded to
> determine Linux and open source vulnerabilities - it's nothing more than
> good, effective and cheap marketing on the part of the proprietary systems
> vendors.

I was under the impression that most people funded to do security research are 
typically working for security companies whose business focus is to fix 
security issues, or academics. If all the security issues dried up, they 
would have no business, hence they are always on the lookout for more 
vulnerabilities. I know that many penetration testing companies have full 
time 'exploit developers' (Not sure if that is an appropriate title or not) 
on staff. In many cases, these companies are paid relative to the number of 
times they can provably obtain higher privileges or potentially cause system 
outages, etc... These companies would look pretty silly if they said they 
could do X, but when asked to show it not be able to do so. This is one of my 
main reasons for beleiving that there is an exploit for nearly every 
vulnerability. It makes good business sense for these types of businesses to 
be able to exploit Tom's English2Romulan encoder that he installed suid root 
because he doesn't understand his operating system.


>
> Not necessarily.  An application running in user-space is inherently less
> vulnerable than one running with root priviledges, or an operating system
> process.  As there is executing binary code, and an execution pointer that
> could be misdirected the risk is still there, bur the quantifial amount of
> risk is less, as they then have to elevate priviledges to do greater harm.

I really really disagree with this. If someone were to obtain privileges for 
my postgres user, they could cause some serious damage, steal lots of 
information, etc... Even just the ability to read some system files can 
greatly aid an attacker to learn more information about a network and the 
systems on it. Even reading /etc/hosts or bind configuration files could 
potentially give an attacker a map to your network. Never underestimate the 
power of having shell level access to a system.


I think this would be an interesting discussion over beer after one of the LUG 
meetings.


Ian