Damn Vulnerable Linux — Most Vulnerable Linux Ever

An anonymous reader writes "Usually, when installing a new operating system, the hope is that it's as up-to-date as possible. After installation there's bound to be a few updates required, but no more than a few megabytes. Damn Vulnerable Linux is different; it's shipped in as vulnerable a state as possible. As the DVL website explains: 'Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn't built to run on your desktop – it's a learning tool for security students.'"

Wait, so I shouldn't have used that at work?

Don't tell my boss.

Re:Wait, so I shouldn't have used that at work?

[binarylarry]

Don't worry, it's still safer than the Windows servers you run.

Re:Wait, so I shouldn't have used that at work?

[Darkness404]

I know! I've been wanting to get these free kitten screensavers and family guy cursors and they aren't working! And I can't get sexyladies4324aefe.exe to run either! Man, Linux doesn't run anything good...

Re:Wait, so I shouldn't have used that at work?

[ae1294]

Such as?

The ability to run the Malware he writes for fun and profit. Ok... mostly profit...

Re:Wait, so I shouldn't have used that at work?

[jellomizer]

Yes the random poke at Microsoft...
Lets stay blind dumb and happy with our Linux.

Linux isn't any more secure then Windows is. However Linux users like to get bragging rights because they release fixes to security glitches fixes (a good thing) much faster then Windows does. However security patches isn't the only thing...

Usually the reason for most Vulnerabilities in Windows is due to stupid Administration. Being that windows is easier to maintain by the average joe, means that a lot of Windows Server Networks are being administered by people who really don't have any rights administering a network. Having Poor Security procedures, buzzword based security settings, Firewall with holes.

Linux users are either the Old time Unix administers or people who actually think about technology as a bit more of a means to an end, actually on the average are at least bit better then the laimo Windows Server non-administrators.

However Linux is still quite vulnerable. Updates may not be run as often as they should, legacy code needing older versions of software to run. The fact that they think they are immune makes sure fixing these problems are a less of a priority.

I have seen man Linux Systems hacked into more then I have seen windows systems, why because the administrators of the Linux systems were Lazy and bought into the fact that Linux is SO MUCH MORE SECURE THEN WiNDOWS and let the Servers Run Bragging about their huge uptimes while it keep on getting rooted. Yes the times I have seen Windows get compromised it is often a bigger problem then when it happens to Linux, as windows vulnerabilities make it more possible to spread viruses across the unsecured intranet.

But the moral of this post is. Don't put your faith in the software for security, Keeping a secure network is up to a human hopefully they are skilled to keep it secure.
 

Re:Wait, so I shouldn't have used that at work?

Pretending you are secure using DSL is just stupid.

Your PC will be owned in 24h or less(how many rootkits are installed by default?). My web and ssh servers get attacks searching for common vulnerabilities constantly since the day I started them and they aren't even live yet. If they had been running any vintage version of Linux it would have been automatic pwnage.

I wonder if streaming a Tb or two of good quality PRNG data into a bot or a "security researcher"'s computer would get me into any problems. They always seem so sad when they find nothing to grab. They are the ones making the HTTP or SSH request it's not my fault they discover my RNG server ;)

Re:Wait, so I shouldn't have used that at work?

[Risen888]

Being that windows is easier to maintain by the average joe

Obviously it is not. It is easier to fuck up. That's a different thing altogether.

Re:Wait, so I shouldn't have used that at work?

[Von+Helmet]

A few years ago, around 2006/7, I worked in a (UK) school doing IT support. One of the guys in the science department was some kind of Linux geek. He had a Red Hat server running on the school network for some reason or other, I forget what, and he had requested and been given an external IP address on the network so that he could get in from home and do... whatever.

So, one day the big talk is that the local education authority, who provided the Internet connection, have been getting calls from the US Department of Defence wanting to know why they're getting hundreds of thousands of hits to some of their servers from this address block. The education authority traced it to the school and we traced it to this guys Red Hat server and pulled the plug. I didn't get a good look at it, but it was running a 2.4 kernel well into the 2.6 days, so I'm guessing there were plenty of other things that were out of date on there.

I don't know whether you'd lay the blame on the science teacher or the admin who let him put that box on the network with an external IP address and then didn't spot oodles of outgoing SSH attempts or whatever, but one way or another someone took it on trust that someone else knew what they were doing with Linux when they clearly didn't.

Or

[Voulnet]

Or use a fresh install of XP.

Re:Or

[Luckyo]

Ebola or AIDS. Choices!

Re:Or

[Co0Ps]

Seriously, I once attempted to see how long it would take to get a fresh install of XP hijacked on a virtual box. After about one hour of bad IE6 surfing on suspicious sites (would you like to download and run this? yes please) I had one or two pieces of malware installed that had taken over the computer completely, filling the screen with popups and disabling all kinds of system configuration tools.

Re:Or

[maxwell+demon]

To be fair, if you download run random stuff from the web, your Linux computer isn't too secure either.

Re:Or

[tuxgeek]

To be fair..
most malware available for download on the web is designed to be run on windows
It doesn't do anything much less run in linux

Windows is such an easy target for exploit and success, it's everywhere and run by every bone-head idiot on the planet
Linux on the other hand is most used by advanced individuals and can be very difficult to exploit making it a waste of time for the black hats, it can be done, but rarely successful

Re:Or

[Culture20]

That's nothing. During the Blaster days, I stood by and let someone attach their computer to the network for updates after a clean install. It was an object lesson: Before she could navigate to windows update, it started rebooting again. Always update security patches from a known-safe medium.

Re:Or

[bigstrat2003]

That's not the point. The point is that even if OS security were perfect, there would still be machines which were completely fucked. No amount of OS security will stop the user from wanting free kitten screen savers.

This doesn't excuse vulnerabilities that do exist in operating systems, but since Co0Ps specifically mentioned that he/she was actively agreeing to download certain pieces of malware, it bears mentioning.

Re:Or

[rsborg]

That's not the point. The point is that even if OS security were perfect, there would still be machines which were completely fucked. No amount of OS security will stop the user from wanting free kitten screen savers.

You know, I'm going to get flamed to hell and back for this, but if you download (ie, buy a free app of) free kitten screensavers in iOS, you will likely have no security impact to your device... some (lots of) folks just can't be trusted outside walled gardens, and that's why Apple is doing so well.

Re:Or

[maxwell+demon]

That's not the point. The point is that if you actively download and run random stuff from the web, it doesn't tell much about the security of the OS if you get lots of malware.

However, I can imagine that the first sort of widespread malware on Linux will be cross-platform Firefox extensions. It shouldn't be too hard to write an extension that does something users want, but also contain some malicious code. That code would have full access to anything you browse, including your banking site and all passwords to various web sites, and it could silently send that data to an arbitrary place, or silently manipulate it. If the extension is otherwise useful, people may install it. For example, how many people have inspected the source of NoScript before they installed it? And of every update as well? I haven't. I installed it because it has functionality I want, I've read lots of recommendations, it has lots of users, and it is on the official Mozilla add-on site. Also the fact that this add-on is quite complex and very actively maintained and developed is IMHO a indication that it's not just a way to introduce malware. However, what if someone would manage hack the web site and push a slightly modified version as update? Note that this would hit exactly those people who are least likely to get other malware.

There's a reason why I created a second profile in Firefox where absolutely no extensions are installed. That's what I use for online banking.

Re:Or

[Co0Ps]

I have to disagree. If an OS had good security, just running an executable should not give it permission to disable system configuration and mess with system files. In XP if you had an administrator account (everyone did), even screensavers had full permissions. Yes, I surfed on possibly-malicious sites and opened possibly-malicious executables. After that, trying to open task manager gave me "Permission Denied". Also, If an OS has a PERFECT security model (which Linux hasn't), everything should be run sandboxed. In such an OS, you shouldn't be afraid of installing potentially malicious software, just like you're not afraid of visiting web pages with a secure web browser.

Re:Or

[antdude]

I saw this happen with a 3 KB/sec dial-up connection too! It was nuts. My friend was wondering why his new XP Pro. downloads were so slow.

Big deal

So it's like Fedora then.

Re:Big deal

[magsol]

Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?

Re:Big deal

[basscomm]

Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?

You must be new here.

Re:Big deal

[keatonguy]

Don't be obtuse, he raises a good point. Linux is not infallible and shouldn't be treated as such even in light of it's advantages and the personal support we all have for it. Criticism breeds improvement. Keep that in mind, mods.

Re:Big deal

[LynnwoodRooster]

Exactly. Everyone knows the only OS that gets to claim invulnerability is OSX...

Re:Big deal

[causality]

Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?

That has since been modded some more and now sits at +4 Funny at the time of this post.

Had he denigrated Apple or its products, it would have gone down to -1 and remained there.

Re:Big deal

[causality]

Don't be obtuse, he raises a good point. Linux is not infallible and shouldn't be treated as such even

Did it occur to you that the more experienced/advanced/technical users who tend to gravitate towards Linux are very much aware of this, that they administer their systems accordingly, and that this is in fact a big reason why successful malware "in the wild" is all but unheard-of on this platform? Compare to "buy the next version of Windows, it's easier and more secure than ever!" that carries the strong implication of "oh, security is someone else's problem". Not noticing or appreciating that difference would also be obtuse.

What I am getting at is that there are both technical and cultural differences between the two platforms.

Re:Big deal

[CAIMLAS]

Criticism, even if inaccurate?

You can still run a multiple-year-old and barely-updated Linux distro on a public network and not fear being exploited. Sure, it can happen, but I'll be honest in saying the only times I've seen a Linux machine exploited was when it was horribly out of date (2.0 kernel in the early 2.6 kernel days) and was running samba... on a public network. That said, the exploit employed was over 6 months old at the time when the machine got exploited.

Unless you're running a PHP based CMS or the like, it's pretty uncommon for a Linux machine to get exploited. PHP = bad.

Re:Big deal

[Tablizer]

Exactly. Everyone knows the only OS that gets to claim invulnerability is OSX...

Only if you hold it right.
   

Re:Big deal

[JonJ]

Ugh, I'm gonna undo all my mod points for this but... Fedora is on the bleeding edge, it has never been about stuffing the distro with old and vulnerable software. The comparison is so far off it's not even funny. If he'd said 'Debian Stable' I might've seen the humor in it, but using Fedora is a really poor example. So he's not only a troll, but a stupid one at that. And it's really annoying seeing all the hate Fedora and Red Hat gets here on /. even if they do amazing work for both servers and desktops. I wish the constant Apple and Ubuntu masturbation would stop.

Re:Big deal

[LinuxIsGarbage]

You know that Windows Vista and Windows 7 were released which by default run the user as a limited user, and prompt for elevation when needed.

Great Learning Tool

[bytethese]

We used it in my Forensic Computing masters program in some classes, definitely useful in our Network Security and Architecture of Secure Operating Systems classes to show what can happen with buffer overflows, gaining root access, etc.

Security study DVL

[GNUALMAFUERTE]

A notable team of security researches are suggesting windows users migrate to a platform known as DVL. "DVL is a mess. It is vulnerable to a variety of attacks, but it is still more secure than the average windows install". Another researched pointed "Windows users must migrate to DVL immediately, in order to protect their computers".

While several independent research groups are considering DVL as a valuable alternative to windows, Microsoft didn't stay behind, and promised to use DVL as the base of Windows 8, the upcoming version of windows. A spokesperson for Microsoft notified that microsoft decided to use DVL after thoroughly analyzing it, "It provides a great building block for the next release of our greatest product, DVL certainly fits like a glove within our strict security and QA policies".

Windows 8: DVL Edition, the most secure windows version ever released, is scheduled to hit the shelves next summer.

Re:Security study DVL

[GNUALMAFUERTE]

Heheh, previous story says:

"More than a year after Microsoft issue a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7."

How long ?

[Pelekophori]

till Microsoft uses it in get the facts comparisons?

Re:How long ?

[Daniel+Dvorkin]

A while back, IIRC, there was a story about the different ways that vulnerabilities are counted in Linux vs. Windows. There have been various MS-sponsored "studies" which sum the total number of vulnerabilities for all distros, so that if, for instance, the same vulnerability exists in Debian and Fedora, it's counted twice. (Likely much more than twice, since if it's in Debian, it's probably in all the Ubuntus too.) Meanwhile, of course, Windows vulnerabilities only get counted once. So don't be at all surprised to see stories along the lines of "5000 new Linux vulnerabilities discovered!" coming from the astroturfers soon.

what about a weird-arch linux?

[keeboo]

Something philosophically similar which could be created is some sort of "weird arch" Linux for code debugging purpuses.
Like something with 16bit chars and ints, non-0 NULLs... Perhaps running under an emulated invented weird architecture with strange byte order (non-LSB/MSB) and weird alignment issues.
I wonder how many software would break.

Re:what about a weird-arch linux?

[sconeu]

architecture with strange byte order (non-LSB/MSB)

You mean like the PDP-11?

0x11223344 was stored in memory as 0x33 0x44 0x11 0x22

Re:what about a weird-arch linux?

[mmkkbb]

And the PDP-10 had bytes in any size from 1 to 36 bits.

Re:what about a weird-arch linux?

[mlts]

If you are feeling really insane, some UNIX operating systems can dispense with root altogether, even past having it disabled for logins (like how OS X has it present but not usable until explicitly turned on). AIX 6.x has the ability to completely chuck root (where stuff running as UID 0 is essentially running as nobody with no privs whatsoever), and what would have been handled by the superuser is handed off to other users as roles. Of course, if a critical role isn't defined before root gets stripped of its mantle of rulership, well, have fun rebooting to install media or to a NIM server and fixing that.

Some UNIX variants don't care a bit if the user root is renamed. Others will choke and give up the ghost. Ideally it would be nice to rename the root user (and put a dummy user named root just for kicks, similar to how Windows admins worth their salt have a bogus Administrator user with insane amounts of logging enabled), but it is hard to tell which UNIX variants don't care, and which will be really unhappy.

Maybe the best of all worlds is to have SELinux-like ACL policies be made into an easier pill to swallow. For example, a Web browser should not have access to a user's .xinitrc, .profile, .bashrc, or other files. If a policy enforces this, even if a Web browser is completely compromised, there is no way a blackhat can install software running in the browser's context that would start on a login, nor even with a valid su or sudo password, would ever get to a "#" prompt. By focusing on isolating applications, a system can be partially compromised, but not completely taken over, unless the security problem lies in a critical subsystem like ssh/sshd where it really can't be put into a fenced in playground.

As for obfuscation, it does work against script kiddies, but a blackhat worth his salt will eventually go through the IP range and find that one randomly named server is listening on port 80 and 443, and communicating with some other box via some ports that are usually for Oracle. Security through obscurity is not a good solution in the long run.

Honey Pot Module coming up next week.

[ls671]

We are working on a honey pot module for Damn Vulnerable Linux, it should be coming out soon ;-)

Basically log all activity to a network server while hiding the fact that we are doing it. Just refresh from a fresh image once in a while. Once an intruder is noticed, we can give him as many rights as we want in real time, especially with regards to network connectivity, which is done at the firewall level. It is a nice way to get a good grip of what is running in the wilderness of the internet. If you are lucky enough, you can even learn about unpublished exploits although I would use a up to date distro to specifically discover these.

Re:Honey Pot Module coming up next week.

[lennier1]

Chances are the user will even get Chinese lessons free of charge. ;)

so if one were to do this with bsd...

[ducomputergeek]

would it be ClosedBSD?

Microsoft's Linux vulnerability stats

[Tracy+Reed]

You just know MS is going to count the vulnerabilities in this distro against Linux just like how they count one vulnerability which affects 10 distros as 10 vulnerabilities because 10 warnings get sent out.

Semi-dupe

[Improv]

This was in the list of "most interesting linux distros" posted here maybe two weeks ago. Sigh.

Not just for students

[kolbe]

At my last job, the "boss" was too cheap to purchase a descent VPN solution (I later convinced him to buy a Cisco ASA5520), so I deployed a series of IPCop servers... one as a firewall and one as a VPN server. Between the firewall and VPN Server I had fronted an old Pentium 2 based Windows 2000 server in the DMZ to give the appearance that an attacker, had they gotten through, would have figured they hit the "honeypot". I ran this configuration for almost a year and had one attacker get through because I had not patched my IPCop firmware soon enough to cover a LAMP exploit running on it, but they none the less only stopped at the Windows 2000 server and loaded a bunch of mail relays on it. One quick re-format, an IPCop patch, and some E-mails to SORBS and I was good to go again.

Distributions such as Damn Vulnerable Linux will not only help students, they will be a great asset to SMB's wanting something to do front similar topologies as mine to keep the bad guys out. I am sure there are other uses for DVL out there.

Good job DVL team!