Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sloppy File Permissions Make Red Star OS Vulnerable

Posted by Soulskill on from the helps-to-feed-your-developers dept.

An anonymous reader writes: Red Star OS Desktop 3.0, the official Linux distro of North Korea, which recently found its way onto torrents and various download sites in form of an ISO image, is interesting for a number of reasons, including its attempt to look like commercial operating systems (currently OS X, earlier versions mimicked the Windows GUI). Hackers are also poking Red Star for security vulnerabilities. An pseudonymous researcher noted in a post to the Open Source Software Security (oss-sec) mailing list, that the OS has one significant security hole: Red Star 3.0 ships with a world-writeable udev rule file /etc/udev/rules.d/85-hplj10xx.rules (originally designed for HP LaserJet 1000 series printers) which can be modified to include RUN+= arguments executing arbitrary commands as root by Udev. In the post he also mentions how the older Red Star 2.0 shipped with another schoolboy mistake: /etc/rc.d/rc.sysinit was world-writeable.

19 of 105 comments (clear)

  1. Good ol' 777 by MisterSquid · · Score: 4, Insightful

    Whenever I see devs take the stupid shortcut of "chmod 777" I wonder what is the brain drain for these "professionals" that they can't figure out how to enable make use of "chown root:admin" and then "chmod g+x", or whatever's the appropriate level of permissions for the task at hand.

    How can developers be so lazy and so security naive? It's like using signal lights when driving. Just do it because it makes for good habits.

    --
    blog
    1. Re:Good ol' 777 by MichaelSmith · · Score: 3, Insightful

      Unix doesn't help much. I mean if apache can't read /home/me/www/path/to/index.html the OS isn't going to tell you its because of the permissions on /home. Meanwhile you have given up and gone chmod -R 777 /

      --
      http://michaelsmith.id.au
    2. Re:Good ol' 777 by MisterSquid · · Score: 4, Informative

      Unix doesn't help much. I mean if apache can't read /home/me/www/path/to/index.html the OS isn't going to tell you its because of the permissions on /home. Meanwhile you have given up and gone chmod -R 777 /

      Actually, both the browser and the Apache log will tell you it's a permissions issue. Go to the root of /home and either add the Apache user to the group that has access to "/home/me/www/path/to/index.html" or change the group access to Apache's user.

      Once the group is correct, change the permissions to g+r if necessary.

      Taking the 15 seconds to properly set permissions when you know the issue is a permissions issue (otherwise why would chmod 777 fix the issue) really is just too easy not to do.

      Also, use your signal lights!

      --
      blog
    3. Re:Good ol' 777 by MichaelSmith · · Score: 4, Insightful

      What I mean is that cat /home/me/www/path/to/index.html will say Permission denied but it won't say Permission denied reading /home/me

      --
      http://michaelsmith.id.au
    4. Re:Good ol' 777 by Gravis+Zero · · Score: 2

      How can developers be so lazy and so security naive?

      security commonly falls under the "not my problem" area while "it MUST work" is always the priority. is that really so hard to comprehend?

      --
      Anons need not reply. Questions end with a question mark.
    5. Re: Good ol' 777 by Megol · · Score: 4, Insightful

      Good thing you don't design user interfaces.

      On the other hand, perhaps it was you who designed the Windows 8 metro UI? It would explain a lot...

    6. Re:Good ol' 777 by Jeremi · · Score: 4, Insightful

      Because that would give information to a potential attacker! You don't make security problems easy to diagnose!

      Security through obscurity, eh?

      No thanks. Either the system is secure (even against an expert hacker), and therefore no security is lost by providing informative error messages.... or the system is insecure, in which case no security is gained by making the error messages hard to understand.

      Deliberately obfuscating error messages only makes the system harder to use by its legitimate users (and therefore more likely to be bypassed in ways that compromise security) while doing nothing to keep hackers out.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    7. Re:Good ol' 777 by sjames · · Score: 3, Insightful

      Better than being one of those assholes that likes to call people an idiot.

      There is always an aspect of obscurity to secrecy. In OPs example, the exact structure of the underlying filesystem. In mine, the user and pass. In both cases the mechanism is known. Many server admins make an effort not to reveal too much of the underlying structure to the outside and wouldn't appreciate the http server revealing all of it to the world.

  2. Master plan by lucm · · Score: 4, Funny

    Awesome! At last a way to hack North Korea and steal all their... valuable things?

    --
    lucm, indeed.
    1. Re:Master plan by kilodelta · · Score: 2

      Or just to shut them down. I mean I'm fairly certain we in the U.S. have our own cyberwarfare units in the U.S. - that might also be the answer to who leaked the ISO of Red Star 3.0

    2. Re: Master plan by jrumney · · Score: 2, Funny

      Too late, Kim Jong Un ordered the general who bought the HP printer to be executed already, and ordered his brother to buy a Canon inkjet to replace it. The brother was also executed for bring imperialist Japanese goods into Korea, but at least they have a new national printer now. Both the PCs are now being studied by North Koreas elite hacking squad to see if the files can be removed without recompiling the whole system from scratch, but the results are not promising so we may see more outage on the North Korean netblock again this week.

  3. one question... by s0litaire · · Score: 3

    Is this OS for the NK government use, or for use by the people in NK.??

    If it's for the people I'm not surprised they made it easy to gain access...

    --
    Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
    1. Re:one question... by houghi · · Score: 2

      You think the people have computers? This is for the rest of the world and those are not securety leaks, they are features.

      --
      Don't fight for your country, if your country does not fight for you.
  4. Re:...for a number of reasons by SeaFox · · Score: 3, Funny

    I hear a CD-R and a balloon were used.

  5. And still by msobkow · · Score: 2

    And still the US government would have us believe that NK has a cadre of "elite hackers" responsible for Sony instead of the much more plausible and believable "inside job" by disgruntled employees -- especially as it would have taken months to download the terabytes of data that they claim was stolen.

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:And still by msobkow · · Score: 2

      And without any of the snoops who monitor the NK traffic streams noticing for all those months to boot.

      --
      I do not fail; I succeed at finding out what does not work.
  6. Re:not great, but probably not very important eith by benjymouse · · Score: 2, Informative

    This kind of exploit, a local privilege escalation exploit, used to be very significant, but is significant in a declining number of cases, as old-style Unix multiuser systems are a smaller and smaller proportion of systems.

    An attacker who has exploited a Firefox vulnerability (there are still many found and patched each month) is running as a *local user* on your machine. Trying to explain these types of vulnerabilities away is disingenuous, if not downright complacent.

    Unix/Linuxs permission system is 70-era bit-saving stupid. There is no other way to put it.

    While this is clearly a mistake by someone packaging the distro, they were certainly not helped by a system where you cannot adequately express permissions. ACLs are available, but they are still kludges and they fell like a bolt-on with many tools still not recognizing them.

    When a developer meets the limit of what can be expressed with a single-group me-us-everybody, he will often look for the path of least resistance. Unfortunately that is often relaxing permissions along the coarse-grained me-us-everyone, often ending up with everyone as in this case.

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  7. Re:not great, but probably not very important eith by dbIII · · Score: 3, Insightful

    Unix/Linuxs permission system is 70-era bit-saving stupid. There is no other way to put it.

    Some alternatives sound nice but fail horrificly when the come in contact with people, especially the ones that let any people within a group grant access to others with zero oversight. Within a short period of time with such a "everyone can grant or deny access" scheme you end up with almost everything wide open and occasional calls when the paranoid have locked themselves and everyone else out of something and forgotten the password - and it's typically something business critical (as in people need to get to it so they can do their job) but not actually sensitive with only a few people normally allowed to get to it. So the superuser is locked out - what do you do? Well such things are normally not well thought out in any way at all so you crack in with ease, especially since you have full access to the hardware, which kind of makes the whole idea of having permissions that lock out the superuser look pretty silly doesn't it?

    So while user/group/all looks simplistic and kind of sucks in some cases there's nothing else that's really shown itself to be good enough to gain traction apart from where mandated by a vendor.

    When a developer meets the limit of what can be expressed with a single-group me-us-everybody, he will often look for the path of least resistance

    Saw that - first day at a new site and the developer that had been looking after things rebooted both the primary domain server and secondary domain server at the same time in the middle of a working day, for some trivial fix that didn't need to be done immediately and probably didn't even need a reboot. Of course they were also serving most of the files and all the printing as well. It's a mindset not a skillset. He knew what would happen but there was a fix for something so it had to be done NOW so he could get it out of the way without having to worry about it later. Consequences didn't matter, after all the new guy was there to take all the angry phone calls.

  8. Re:not great, but probably not very important eith by Antique+Geekmeister · · Score: 3, Insightful

    The old POSIX compliant user-group-others model does have some limitations. The non-root user can't arbitrarily add another individual user to have access or deny access, and only root users or site admins have access to create new groups. In the older systems, such as in UNIX's /etc/group and /etc/passwd, groups cannot contain other groups directly and there's a maximum line length on the number of characters in the "/etc/group" line. This gets quite awkward if you have hundreds of members of a group, or want to be able to say "all members of this group, *except* this one account, should have access to this". It means you have to add a new group and reset all files to owned and managed by that group: it can become painful to administer.

    When compared to the obscure rat's nest of ownership in NTFS, however, I can see why the old POSIX ACL's have remained in use. And let's make not be confused, in the Windows world it is _extremely_ common to leave file ownership profoundly broken.