Slashdot Mirror
PCWeek "Hack This Page" Cracked
mrflip writes "On September 20th, PCWeek announced a $1000 contest to be the first to hack either the linux or the NT server they set up. Well, four short days later, the linux box seems to have been compromised. The winner states "Hi guys, It's been a nice challenge, now send me the cash :)." He explained that the exploit was not a linux feature but was due to a closed source CGI script with improper security checks. " Going to require Solomonic ruling - the intent was to test the two OSes, and this is obviously not an OS test.
That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it. -Alascom alascom@dc2600.com
A system's security is only as good as it's administrator.
The test has some flaws. They should pay the winner, fix the faulty CGI script, and try again.
... It's the responsibility of the Operating System to ensure security. blah blah blah.. It is obvious that linux does not have Enterprise-level reliability. blah blah blah... blah blah.. IIS is better than Apache... blah blah... The problem here is that the user doesn't have access to a GUI, and thus can't see problems like this... blah blah blah... Of course Microsoft would have released a service pack by now - what does the Linux offer? A cryptic "patch" option. They should have an easy-to-upgrade "click here to compromise your security" feature like NT does... blah blah blah...tune in next week for 'Why I'm so cool, and you're so not.'
--
2 Things:
#1, Absolutely nothing about NT or Linux itself.
#2, A chain is only as strong as it's weakest link. In this case, the weakest link was a poor CGI.
So where from here? Lets try it with a better CGI, maybe let everyone see the conf files or something.
Or maybe PC Week should release all the conf files to the cracked box, so the Community can comment on what should/shouldn't be in there.
Since vanilla NT has virtually no remote administration or remote anything capabilities, it had a natural advantage in this test. Turn off NT File Serving, and you have to put machine code on the stack to change files (annoying and not worth $1000). On Linux, I could just root the machine and then enable telnet, configure the shell of my choice, set all my little aliases, and it would be just like home.
IMHO, NT is more secure out of the box than most Linux distros. If you want perfect security, may I recommend a piece of wood (not as much functionality as NT, but very very secure).
The rules state:
:) didn't exploit an OS-specific hole, the rules didn't say s/he had to, so it looks like PCWeek is out a grand on the deal. Oh well.
:)
The only fair targets are the securelinux.hackpcweek.com, and securent.hackpcweek.com sites. To win the 1000 gift certificate you must mark up the home page or steal a file called top secret. Denial of Service attacks spoil it for everyone, and get nothing accomplished.
That's it. If that's all they have for official rules, then this guy should get the cash. While s/he (so as not to offend all those female crackers
Looks to me like next time they need to include some fine print like every other contest does
-mike kania
but just more worthless speculation.
"Absurdly complex" appears to be quantifiable when one OS has something like 20 million lines of code and the other something on the order of 2 million.
One advantage Linux has is that it is relatively easy for a competent user to configure it the way he/she wants to. This appears to be much more difficult under NT. The "lots of little tools" philosophy isn't there -- a complex aggregate which cannot be broken down into simpler pieces is harder to understand and analyze than one that can.
In any event, anything worth doing is usually pretty tough. There's no competitive advantage in offering a service Just Like Everyone Else's, and doing easy, fully understood things isn't much fun. This goes far beyond OSes and webservers.
/Life/ is absurdly complex. Get used to it.
Remember that what's inside of you doesn't matter because nobody can see it.
Everyone so far has missed the point. This isn't (or shouldn't be) a one time thing. Both servers should be left there forever, subject to ongoing attacks. No need to pay anyone anything (maybe a T shirt or something). I think there'll be plenty of entrants without any big reward being needed.
NT gets better, Linux gets better. I don't have any axe to grind, and this outcome would please me. Better operating systems; who can be against that?
If the web server is running as nobody, then shouldn't the CGI script be running as nobody too? No competent web server admin would allow the root docs directory to have 666 permissions or run the web server as root. Was this CGI script 4755, or was the directory set up with bad permissioning?
I could see exploiting a CGI script to get it to email you a sensitive file or display sensitive information, but they must have had the web server misconfigured to make it that easy to change a page in the doc root.
If someone had broken into NT via IIS would we still be saying "it's not the OS's fault"? I doubt it.
... if so, that's part of the OS in my book just as IIS shipping with NT is part of the OS when used in that fashion.
What I would like to know is, did the CGI ship with the RH distro they used
Linux Administrator's Security Guide http://www.securityportal.com/lasg/
Try going to the server configs page at www.hackpcweek.com. Note that there are configs solely for securent, none at all for securelinux. Far be it from me to be paranoid, but this lack of information leads me to suspect that the configuration of the linux server was far from optimal (even if it was hacked via a faulty closed-source CGI script). After all, if the linux box had been secured, the maintainers would know which config files had been modified, what patches needed to be applied, etc. Instead we get "reinforcement" of how "well-documented" everything in NT is, and how "poorly documented" linux is.
Also, if anyone happened to nmap the two boxen, they probably found the same thing I did...both are behind a firewall and return *identical* scans (aside from hostname):
Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
1080 filtered tcp socks
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
What's this? These machines are so secure that they need to be protected by a firewall? Why? Are there possibly ports on one of them that can't be disabled any other way? This is mere speculation, but if you're running a contest to show the security of a specific box, do you add external security on top of it?
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
Well, assuming they could find two equally knowledgable sysadmins (each relative to his/her platform - yes, this is difficult) and assuming each was allowed to choose the server, scripts, etc. to be used on that platform it's a worthwhile test. It doesn't have to be the same software to be valid.
If you had a flawless operating system but the only applications available for it were crap you would have a bad server platform. In other words, there's a difference between testing an OS and testing a platform.
(Note: I'm not arguing that the case I described is the case with the linux box in the contest - linux is not flawless and apache is not crap. I know it was a bad script and this reflects badly on almost nothing else. I'm just making a point about the hypothetical validity of this kind of testing)
/* The beatings will continue until morale improves. */
Not only is it fair but maybe its important to note. Too many people, including security authorities within many companies, fail to recognize how rigorous you have to be to maintain security. You can apply every patch against every line of code on your system and still be insecure. What's worse is that because so many people rely on specialized tools, such as SATAN, to audit security they become trusting and complacent. They're a good first step but they shouldn't be the only step for mission critical equipment.
Suppose the white hat community is fully caught up with the black hat community, or maybe even a few steps ahead. Any standard script attacks against the infrastructure of your network will fail but there's still a glaring problem.
What about user software? Users like to run software. Some of the software interacts over the internet at large, such as games. Most of it is not designed by people overly concerned with security. People run poorly written CGI scripts. All of this provides the ability to get into whatever account the application was running from. Smart intruders will remain very quiet (dumb ones will post things like "Y3R 0WN3D") and bide their time. Eventually with enough patience and/or intelligence the sytem can be compromised further.
There's a lot of things that are secured dumbly. People are smart enough not to run web servers as root anymore. They run them as 'nobody', which is fine, but they leave 'nobody' with a valid shell which is dumb.
The only truly secure system is one that is turned off, encased in concrete and sunk in the deepest trenches in the ocean. Unfortunately that isn't terribly useful, but you can increase security by conducting 'what if' thought experiments.
Just lurking in all the stories about linux vs NT security challenges, and it seems like most slashdotters are incredibly one-sided in their views, driven more by a sense of rebellion than anything else.
When somebody challenges people to break into their linux box, somebody eventually does, and all kinds of excuses are offered.
When somebody challenges people to break into their NT box, the linux sneetches with stars upon thars scoff, "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!"
If linux is so secure and Windows anything is not:
If linux advocates want any credibility, they will have to stop giving knee-jerk, "heads-I-win tails-you-lose" excuses and begin to demonstrate their claims.
Joel Dueck
Well, yes, you're right. perfectly. That should be the point. Better operating systems... of course. Makes a lot of sense. But (and this is the kicker)...
... That is never going to be the point. CrackThis!(tm) challenges are always going to be about ego. The ego of the cracker. The ego of the OS community. Ego. It sounds childish and silly, but that's what it is. These contests, which seem to be common lately, are not about testing the system, really. Sure that is often a nice side effect, but really, it seems that it's more a way to "prove" that such-n-such OS is better than this-n-that OS.
Sad, but true. It should be about improving the OS, but until these contests are restructured to be less inflammatory, people are going to use them as proof for their particular OS fanaticism. That's human nature and will have to be expected in such a setting.
Now, I personally don't have anything against these contests, they do have useful results. But I don't think we can ever, realistically, expect them to be purely for improving the OS in question.
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
But regardless of if they were careless or not, thats really a non-issue, the issue is that cgi script was at fault. I'm sure that if this script was running on the NT server, it could also have been cracked.
Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.
See the linux user in his native habitat, he's tensed, poised, awake, and banging at his keyboard in anger that someone may have cracked his sacred linux, even if it was a cheap shot. He's letting his real skin show, and it's as ugly as the linux command prompt or the blue screen of death. He wants to set up a test that proves that linux is better. The linux user is unaware that such a test is stupid and proves nothing.
This is an interesting speciman, of course. But the average Linux or NT zealot would all speak the same way. "They know they are the best, so let's set up a test that proves it." It shows everyone that the truth is hard to deal with no matter which side of the fence you are on. They don't want security, they want their way.
Oh no! Here comes Demons and TAO, "the ultimate OS" representatives! Amiga and BE! OH! The humanity, they're squabbling for leftovers! Oh, the elephant of NT is here, trying to trample them all! Penguins are being smashed by the dozens, more and more are pecking furiously at the the elephent. It's getting too much for the pachdyrm, it slumps down and dies. The demon rips off the trunk of the dead evil NT elephant, and the penguins keep pecking and sqwaking, sure of their superiority.
Is that movement in the bush? Oh, indeed it is! I can't quite make it out, but it's grabbing everything and eating them alive! Oh! The humanity!
They never saw what hit them. They were just standing there, all quacking and whatever else they might do, and something ate them all! Oh, my Lord! What predator can do such a thing? Obviously it must be higher on the evolutionary ladder!
We had best get out while we can!
Signing off, and remember, don't ever stand still and gloat and assume your're safe, or you'll get eaten.
Dan
"and this is obviously not an OS test."
/. Linux/NT flamewar, pause and reflect for a moment that maybe there might possibly be a beter way...
If you take 100 users and tell them to set up a challenge like this, and in more cases the Linux box ends up getting cracked and the NT box does not, then Linux "system" is clearly less secure, regardless of whether it is the Kernel, a subsystem, an add-on package, the documentation, the ease of use, or the user's own idiocy that results in the break.
These days systems like Linux and NT are so absurdly complex that you can't talk about the
security of "the operating system" in isolation.
And before you label me a MS troll, let me say that I think both NT and Linux are really lousy operating systems. They are like the left and right extremes of the political spectrum. On one hand you have the totalitarian Microsoft OS ("You *will* use it the way we tell you to") and on the other you have Linux (i.e. Unix) where everyone can have everything any way that they like, and as a result nobody can agree on what the functionality should be for any component that's higher up the evolutionary ladder than a Lego Brick.
Unfortunately most of you reading this will have grown up knowing only these two extremes, and probably have never seen an operating system that is really there to help you get the job done quickly and efficiently. Unfortunately most of these elegant and effective OS products have all but died out today because of all the foaming, heat-seeking, lusers drooling over the latest trend they read in Computerworld.
One day there *will* come a Great Operating System(tm), but it's not going to be Windows (and Microsoft probably won't write it), and it isn't going to be Linux, and it isn't BeOS, and it isn't MacOS, or any of the other current options, so as you wipe the spittle from your mouth after your latest
G.
Already we're seeing posts like "why don't the hackers leave the Linux box alone and go for the nt machine". My god how could anyone post this here at Slashdot? Think of the quote you just gave Microsoft:
"Users at the respected Linux website, Slashdot, plead with hackers to pick on NT and to leave their Linux server alone"
And how about this one. "it was a third party closed source script and not the os's fault".
Here's the headline
"Security Update: CGI-script designed to run on Linux/Apache server allows root access" (I don't think that's what happened but hey once it's in print who cares)
This article would go on to read:
A cgi-script written for the free Linux operating system and the free Apache found faulty. Sources won't reveal the name of the script and no attempt has been made to correct this problem.
Guess you get what you pay for.
written by our fav
Jessie B
We can't stop these stupid contests from going on but we can use some of the tools that the "man" uses to our benefit. Ignoring them comes to mind.
Slashdot has to walk a fine line... they are a news page first and foremost and they happen to like Linux a lot. Slashdot has an obligation? to report and no one is paying them to kill a story unlike, I'm sure, some of the other news sites/journals.
Please Slashdot just say no(tm) to stupid hype and don't post every friggin contest that comes down the pike. These articles may make for interesting/inflammatory reading but they're doing a disservice to the Linux community, nay the entire computing public.
will buy the guy a decent computer to run Linux on and run a web site.
It won't pay for the same system if he wanted to install NT Server on it.
That's me.. always thinkin...
___
"I know kung-fu."
guns kill people like spoons make Rosie O'Donnell fat.
I don't know.
I guess I've just always been of the belief that it's a Really Bad Idea to have your firewall hit unnecessarily. IOW, put the web server outside the firewall, probably on its own subnet off the incoming connection. That way, if the machine IS cracked, you don't suddenly have to worry about all your non-hardened hosts being hit from a supposedly trusted machine.
After all, once you're through the firewall, you're through the firewall, and it won't protect you anymore. If you happen to be running bad CGI, or ColdFusion, or somesuch which just screams "Crack me!", you're probably in for a much larger world of hurt if you think everything is already protected.
I know I didn't come up with that idea myself, so I must have read it someplace and it made sense. Of course, I tried proposing this at the last place I worked, and ran into a lot of resistance. They didn't want to use an old Pentium/MMX 166 for that, even though they were replacing all the secretaries' machines with PII/400s. So this probably WAS a real-world scenario.
I still contend though that the best security policy is to trust nothing, not even the firewall.
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
Hmmm.
Those are mighty sour grapes there....
Question- if the same CGI script(s) were running on both systems, why didn't it fail on the NT system as well?
Could it be that since the services are wide open on a Unix system once security is breached (single point of vulnerability- access to root), while it's more difficult to do as much through remote access on an NT system (granular security model, no remote access command prompt by default), that the faulty CGI script is a far more serious problem on Linux than on NT?
Since I don't know all the details of the failure (the links in the story point to an infantile "did too!/did not!" discussion thread) it's hard to discern the details of the test.
Linux is not that easy to setup securely. And obviously, looking at the LONG list of non-standard changes made to the NT box, neither is NT.
The point of this test is moot, since really neither OS was compromised. It was a flawed CGI script, just like the one that brought down Hotmail.
Like many others have said already. Pay up to the guy that got in. Then fix the flawed CGI (or release the source so that somebody who's competant can), and run it again. Once all the bugs are gone from the "add-ons" on both servers, then maybe we'll begin to see which is the more secure and stable OS.
I admin both NT and Linux boxes at work. I know which of the two I can rely on to stay running and keep unwanteds out. I don't think it makes me a "Linux Zealot", perhaps it just means I find Linux easier and more intuitive to admin. If somebody else finds NT to be more stable and secure for them, more power to them.
john