Slashdot Mirror

← Back to Stories (view on slashdot.org)

PCWeek "Hack This Page" Cracked

Posted by Hemos on from the wham-bam-thank-you-ma'am dept.

mrflip writes "On September 20th, PCWeek announced a $1000 contest to be the first to hack either the linux or the NT server they set up. Well, four short days later, the linux box seems to have been compromised. The winner states "Hi guys, It's been a nice challenge, now send me the cash :)." He explained that the exploit was not a linux feature but was due to a closed source CGI script with improper security checks. " Going to require Solomonic ruling - the intent was to test the two OSes, and this is obviously not an OS test.

10 of 258 comments (clear)

  1. Re:: No one has hacked the NT machine by Alascom · · Score: 5

    That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it. -Alascom alascom@dc2600.com

  2. Well what did THIS prove? by Tarnar · · Score: 5

    2 Things:

    #1, Absolutely nothing about NT or Linux itself.

    #2, A chain is only as strong as it's weakest link. In this case, the weakest link was a poor CGI.

    So where from here? Lets try it with a better CGI, maybe let everyone see the conf files or something.

    Or maybe PC Week should release all the conf files to the cracked box, so the Community can comment on what should/shouldn't be in there.

  3. CGI Script Security by Anonymous Coward · · Score: 5
    This test was a farce to begin with ...

    If the web server is running as nobody, then shouldn't the CGI script be running as nobody too? No competent web server admin would allow the root docs directory to have 666 permissions or run the web server as root. Was this CGI script 4755, or was the directory set up with bad permissioning?

    I could see exploiting a CGI script to get it to email you a sensitive file or display sensitive information, but they must have had the web server misconfigured to make it that easy to change a page in the doc root.

  4. What's notable is what's lacking on the site by emag · · Score: 5

    Try going to the server configs page at www.hackpcweek.com. Note that there are configs solely for securent, none at all for securelinux. Far be it from me to be paranoid, but this lack of information leads me to suspect that the configuration of the linux server was far from optimal (even if it was hacked via a faulty closed-source CGI script). After all, if the linux box had been secured, the maintainers would know which config files had been modified, what patches needed to be applied, etc. Instead we get "reinforcement" of how "well-documented" everything in NT is, and how "poorly documented" linux is.

    Also, if anyone happened to nmap the two boxen, they probably found the same thing I did...both are behind a firewall and return *identical* scans (aside from hostname):


    Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
    Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
    Port State Protocol Service
    21 open tcp ftp
    23 open tcp telnet
    25 open tcp smtp
    70 open tcp gopher
    80 open tcp http
    119 open tcp nntp
    139 open tcp netbios-ssn
    420 filtered tcp smpte
    443 open tcp https
    1080 filtered tcp socks
    TCP Sequence Prediction: Class=truly random
    Difficulty=9999999 (Good luck!)
    Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
    Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds



    What's this? These machines are so secure that they need to be protected by a firewall? Why? Are there possibly ports on one of them that can't be disabled any other way? This is mere speculation, but if you're running a contest to show the security of a specific box, do you add external security on top of it?

    --
    "The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
  5. Hacking CGI is fair by substrate · · Score: 5

    Not only is it fair but maybe its important to note. Too many people, including security authorities within many companies, fail to recognize how rigorous you have to be to maintain security. You can apply every patch against every line of code on your system and still be insecure. What's worse is that because so many people rely on specialized tools, such as SATAN, to audit security they become trusting and complacent. They're a good first step but they shouldn't be the only step for mission critical equipment.

    Suppose the white hat community is fully caught up with the black hat community, or maybe even a few steps ahead. Any standard script attacks against the infrastructure of your network will fail but there's still a glaring problem.

    What about user software? Users like to run software. Some of the software interacts over the internet at large, such as games. Most of it is not designed by people overly concerned with security. People run poorly written CGI scripts. All of this provides the ability to get into whatever account the application was running from. Smart intruders will remain very quiet (dumb ones will post things like "Y3R 0WN3D") and bide their time. Eventually with enough patience and/or intelligence the sytem can be compromised further.

    There's a lot of things that are secured dumbly. People are smart enough not to run web servers as root anymore. They run them as 'nobody', which is fine, but they leave 'nobody' with a valid shell which is dumb.

    The only truly secure system is one that is turned off, encased in concrete and sunk in the deepest trenches in the ocean. Unfortunately that isn't terribly useful, but you can increase security by conducting 'what if' thought experiments.

  6. Can you say "one-track mind"? by Pike · · Score: 5
    (Disclaimer: I like linux. I am trying to get it to work on my home box. This is not flame-bait, just devil's advocate material.)

    Just lurking in all the stories about linux vs NT security challenges, and it seems like most slashdotters are incredibly one-sided in their views, driven more by a sense of rebellion than anything else.

    When somebody challenges people to break into their linux box, somebody eventually does, and all kinds of excuses are offered.

    When somebody challenges people to break into their NT box, the linux sneetches with stars upon thars scoff, "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!"

    If linux is so secure and Windows anything is not:
    • Why do you refuse to prove your point by actually cracking an NT box in one of these challenges? On a related note, I have heard as an excuse for Linux in response to the ZDnet trial, "A system is only as good as its administrator." This seems true, but if you really believed it, (A) you would know that you would not be helping MS by cracking NT, you would be helping only the particular person administrating that box, and (B) you would be proving your as-yet undemonstrated point that NT is at least as insecure as Linux.
    • Why do I read, in every mailing list and newsgroup, posts from Linux people saying "HELP! Someone cracked my box! What do I DO??" These would seem to back up my first point.
    • Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL, all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

    If linux advocates want any credibility, they will have to stop giving knee-jerk, "heads-I-win tails-you-lose" excuses and begin to demonstrate their claims.

    Joel Dueck
    1. Re:Can you say "one-track mind"? by El+Volio · · Score: 5

      You're right. It serves no purpose to ignore one box. But at the same time, for both Linux and WinNT, the statement regarding the administrator holds true. What you want is to get an absolute NT security guru to configure one box, and a UNIX/Linux security guru for the other, hopefully equalizing that portion of the test.

      It's more common for Linux users to notice the box has been cracked. Windows users who suffer BO and similar attacks may not realize that it was due to a network intrusion, and just chalk it up to the notorious unreliability of Windows. Additionally, the type of users who are "experimenting" with Linux are more likely to be interested in security (and doing things that could risk their machines!) than the average Windows user who just wants to surf the Web.

      You should not believe that merely un-checking file&print sharing will secure a Windows machine. While the rules of the contest don't count DoS attacks (since that's not the purpose of this particular evaluation), for actual consideration that would have to be a factor. Additionally, remember that this isn't just putting a Win9x or even a WinNT-WS box on the net -- it's a web server, which comes with a whole different set of challenges. With more power comes more complexity. This is true of programming, networking, race car driving, and most things in life.

      I agree with you: this should not be viewed as an "either/or" proposition, but as an ongoing process. That's the way the world works, and any test should try to reflect reality in a controlled way. IOW, control is just to take out variances by converting a variable into a constant.

      --

      "You can never have too many elephants on your team."

    2. Re:Can you say "one-track mind"? by jelwell · · Score: 5

      I think a lot of people are missing the point of open sourced security. The guy who cracked the Linux Box pointed out that the security issue was a closed-source cgi script. Everyone needs to remember that the difference that the Free Software Foundation purports between NT and Linux is that Linux - with an open sourced system security can be proven; whereas in a closed source environment security can only be hoped for.

      I don't condone the way this "hack contest" was put together. But I also don't think the results should be invalidated. Someone earlier mentioned that "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!" - the author seems to think Linux users should all try to work collectively to hack into the NT box. Is it really that Linux users think themselves better than Microsoft? Or is it really that Linux users are overly educated in the security realms of their own world? While NT security administrators can only hope that Microsoft has protected them - without really knowing how they might be exploited - and how they might secure themselves other than just applying NT updates.

      Just remember: Open source security allows the administrator to have as much control over their security as any hacker - script kiddie or otherwise. Closed Source security means that thousands of MS employees, present and past, know more about your security and it's holes then you do.
      Joseph Elwell.

    3. Re:Can you say "one-track mind"? by tgd · · Score: 5



      Why do you refuse to prove your point by actually cracking an NT box in one of these challenges? On a related note, I have heard
      as an excuse for Linux in response to the ZDnet trial, "A system is only as good as its administrator." This seems true, but if you
      really believed it, (A) you would know that you would not be helping MS by cracking NT, you would be helping only the particular
      person administrating that box, and (B) you would be proving your as-yet undemonstrated point that NT is at least as insecure as
      Linux.

      Part of the thing that people sometimes miss is the higher number of underqualified administrators administrating NT servers than Unix servers. With the meteoric rise of Linux, that's becoming less the case. These days any joe-blow can throw redhat on a machine in ten minutes and leave it at that. A few years ago it wasn't that easy.

      Its also probably worth pointing out that on the net, there's more usefulness that comes to a cracker in cracking a Unix system than an NT because of its inherant multiuser ability, and the fact that many things can be easily configured through text files. That makes them a prime target for script-kiddies, both because they're easier to reconfigure in a small amount of code, and because of the fact that actually getting into the server is more useful. Therefore, there's a lot more exploit scripts it seems for Unix than for NT. I don't think that's because of any lack of security holes in NT, but rather a lack of reasons to bother hacking an NT machine beyond pointing out to the administrators that NT is a bad solution.

      Why do I read, in every mailing list and newsgroup, posts from Linux people saying "HELP! Someone cracked my box! What do I
      DO??" These would seem to back up my first point.

      For the same reason as I said above, as well as the fact that most Windows users probably wouldn't notice the fact that they'd been cracked. They can't simply type "w" and see who's logged in, and they're more used to seeing their computer slowing down and having the drives running for god-knows-what-reason. Last time I was using a cable modem, there were several dozen machines that would've been rather easy to get into because they had their drive shared without a password. Short of deleting all the files, how would any possibly know I was in their stuff? They wouldn't. And even if I deleted any of their files, without the logging present like there is under Unix, they wouldn't be able to figure out that it was an external user that wiped the files, and not some wierd glitch in the system.

      Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL,
      all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a
      password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

      Its more complicated because you're running a server OS. That's been discussed to death -- the fact that there aren't (yet) any good "desktop" distributions, that won't by default install all the services that aren't actually used. Linux is easy to tighten up, but you've got to know that you need to do it, and you've got to know that the desktop system you installed has as much capability as any "server". A lot of people don't know that, and don't understand what that entails.

      I'm hoping to find out that Corel's distribution ends up a "client only" distribution... that'd go a long way towards making that distinction clear.

  7. Dan Attenborough by DrMaurer · · Score: 5

    Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.
    See the linux user in his native habitat, he's tensed, poised, awake, and banging at his keyboard in anger that someone may have cracked his sacred linux, even if it was a cheap shot. He's letting his real skin show, and it's as ugly as the linux command prompt or the blue screen of death. He wants to set up a test that proves that linux is better. The linux user is unaware that such a test is stupid and proves nothing.
    This is an interesting speciman, of course. But the average Linux or NT zealot would all speak the same way. "They know they are the best, so let's set up a test that proves it." It shows everyone that the truth is hard to deal with no matter which side of the fence you are on. They don't want security, they want their way.
    Oh no! Here comes Demons and TAO, "the ultimate OS" representatives! Amiga and BE! OH! The humanity, they're squabbling for leftovers! Oh, the elephant of NT is here, trying to trample them all! Penguins are being smashed by the dozens, more and more are pecking furiously at the the elephent. It's getting too much for the pachdyrm, it slumps down and dies. The demon rips off the trunk of the dead evil NT elephant, and the penguins keep pecking and sqwaking, sure of their superiority.
    Is that movement in the bush? Oh, indeed it is! I can't quite make it out, but it's grabbing everything and eating them alive! Oh! The humanity!
    They never saw what hit them. They were just standing there, all quacking and whatever else they might do, and something ate them all! Oh, my Lord! What predator can do such a thing? Obviously it must be higher on the evolutionary ladder!
    We had best get out while we can!
    Signing off, and remember, don't ever stand still and gloat and assume your're safe, or you'll get eaten.

    --
    Dan