Slashdot Mirror
Crack.LinuxPPC.org Cracked
An anonymous reader noted that it appears that crack.linuxppc.org has been, well, cracked. There is a mirror of the defaced page at
here being hosted by attrition.org. The actual box is down as of when I type this. On the upside, it sure took a long time for someone to get in there (I'm still amused that they posted the root password). Jason Haas from LinuxPPC said
"The machine is going to Daniel Jacobowitz, who won it legitimately. The
subsequent problems occured after Dan installed a backdoor, and have since
been cleared up.
The original problem was that proftpd-1.2.0pre4 was left running with a
/incoming directory."
I hadn't even _tried_ that one :)
Funny, that even with competitions like this, the easy holes always seem to stay open..
I think it's sort of a bad thing that the linuxppc guys missed it themselves though...
Emphyrio
Is this something new, or did they just not bother to fix it?
Is this sort of exploit a wide-spread problem, or did they just goof up?
Devilled Eggs - A disturbing little creation of mine.
The box seems to be up, with this message:
We had a sudden influx of script kiddies. Page temporarily offline until the machine is fixed.
This machine resecured courtesy of drow
I guess they're a bit irked about this latest hack.
I am totally impressed that this server stayed up and uncracked for such a long time. That is, after it woke up from its slashdot-effect induced coma.
I think more companies should do this with their beta products. It would be a great thing for companies to start putting up beta versions of their servers, securing them the best they can and opening them up for attacks. This would let everyone know if the server they are about to install can withstand the force of everyone throwing what they've got at it. If more companies started creating these open targets, it would also create a situation where anyone who did not would instantly be up for scrutiny. What better method of peer review for a software project. That, and open hacking wars like this are just plain fun.
//Pre-Coffee Phizzy
"Most European technology just isn't worth our stealing," -- Former CIA chief James Woolsey, referring to Echelon
That doesn't make sense to me. I mean, I assume that the ftpd does a chroot() to the top-level ftp directory. This, by itself, does not explain how someone got root on the machine.
there's always a way to hack a machine. just takes a while to find it i guess. Still, to keep a /incoming directory open was pretty damn stupid if you ask me.
On the other hand, regularly sweeing crack.linuxppc.org with security scanners, to see if there are any holes there could be construed as cheating, as it would present a moving target, which is virtually guaranteed to stay ahead of all currently-known exploits.
However, this -does- show the importance of such sweeps, for mainstream machines, and why it's important to take advisories seriously, either from a scanner, CERT, securityfocus, or the developer.
If you download a package off Freshmeat, which has a huge warning sign glued onto the announcement saying "DO NOT HAVE WRITABLE ANONYMOUS ACCOUNTS", I'd be willing to bet that the developer isn't asking for a plate of scrambled eggs, grits and toast.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It's avaliable here: here and the website is here.
Funny how Freshmeat's description of it is
"Advanced, incredibly configurable and secure FTP daemon"
This will probably be counted against them, despite it not really being their fault.
Devilled Eggs - A disturbing little creation of mine.
it took so damned long not because a hack didn't exist (ProFTPd has been vulnerable for some time) but because the standard method used to crack the, a buffer overflow, probably wasn't written with PPC assembly in mind. most BO's out there are for x86, with a good number for SPARC, as well, but ony recently did some PPC shellcode (along with Alpha shell code) get put out in wide release. after the ProFTPd crack was well known, it became, unfortunately, more of an exercise of security through obscurity.
a link to a recent piece on PPC shellcode is at http://packetstorm.se curify.com/papers/unix/ppc.shellcode.txt. i just checked for proftpd exploits on packetstorm and found quite a few; the presence of a writable incoming/ directory helps a LOT.
so, it still took longer than most challenges out there, and that's why i like LinuxPPC for various servers. that and they're just damn fast.
jose nazario jose@biocserver.cwru.edu
Something looks a little hinky here. Is it just me, or do these thing not seem to match:
"he exploited a buffer overflow in proftd. since the machine was a ppc, no one could use the pre-written expliots... the winner rewrote the exploit in ppc assembly." -comment by elixir
"meta name="GENERATOR" content="Microsoft FrontPage Express 2.0"" -from attrition.org mirror of cracked page
Is it odd that one who is capable of writing in "ppc assembly" would use FrontPage.
IANAP (I am not a programmer), but I do write all my HTML by hand. This sounds funny. Am I wrong... or missing something?
This is an honest question, not intended to be a troll.
Russ
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
In this case, it appears that the ftp daemon was buggy, and in this particular case did the wrong thing with a writable /incoming directory. The solution is to run a different FTP daemon or to fix the bug.
In part, the responsibility for this lies with the ubiquitous use of C for Linux system programming. Guarding against buffer overflows in C is a lot of work, and it is humanly impossible to catch all the possible problems in a large program. C++ helps a lot with its string class. Writing servers in Java, Perl, Python, Eiffel, Ada, SML, or many of the other languages with runtime checking is even better.
This has been one of the most amusing posts I have read in a long time. Give him a break... at least he's not MEEPTing or pouring hot grits down his pants.
--
Don't lead me into temptation... I can find it myself.
anyone have the original modified page? one of those asshole kiddies decided to rm -rf the site. imnho, attrition shouldn't mirror the script kiddie version.
A little humor got your shorts in a knot?
The defaced page posted by attrition.org is NOT what was done when the machine was first cracked. AFAIK, the web site wasn't defaced when Dan Jacobowitz first cracked the machine, but Dan left a back door open for script kiddies to exploit and said kiddie went and did his "look at me I'm so cool send me email via hotmail - page created with frontpage" act.
Toolbox. I do alot of HTML (it's what I do for a living), and rather than deal with the subtle annoyances of an editor(I've yet to find one that lets me tailor all the automated tags) I keep a few "toolbox" text files with commonly used scripts and tags (particularly complicated tables and generic headers). Less time is spent typing when you're cutting and pasting, and you can spend more time working out the gritty bits. The only drawback is it's easy to not want to write ANY new code . . . just rehash old stuff. Then again, I've spent all morning refining a JavaScript search I wrote, and it's almost pretty as well as functional ;-)
;-)
and this way you can keep your "text editor" pride
Bad things often happen to good people,
It is up to them to see that they remain good.
meta name="GENERATOR" content="Microsoft FrontPage Express 2.0"
I wonder if this is how Attrition.org created the page, or if the hacker but up the "I won" message with it. That would be awful, wouldn't it, a version of Linux hacked on a Microsoft machine? And posted via FrontPage, arguably the worst HTML program available? Just give me pico :)
--------
Oscarfish.com: tropical fish with attitude. Way t
A far better solution would be to not install ANY servers by default -- let the user go in and install them after the install if he wants them. For people with a legitimate need, most dists allow you to create a list of packages to install, which should work fine for any large shop that actually needs those services installed. At the same time, make it much harder to obtain a setuid bit in a standard dist. Anything that gets a setuid bit should be subjected to a source code audit to make sure that at the very least no simple buffer overflows (Such as the one that compromised this machine) exist in the software. Closed source programs should probably never be allowed an setuid bit as closed source programmers tend to be sloppier and their source isn't open to review.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
A lot of us were on IRC when Dan was trying to crack the box. He realized the exploit in ProFTPd, but it still took many days to come up with the shell code.
:)
Shell code on a PPC is much more difficult to do then intel due to the multiple caches.
Dan intentionally didn't deface the page, all he did was add his name to the end of the credits and update the "cracks" to 1.
It was a pretty amazing crack exploiting not only the program, but how the CPU controls the cache. Especially when he could barely use GDB on his own machine to debug it. (GDB got confused with the discrepecies in the cache, and the out of order execution of the CPU.)
Congrats Dan! (FYI Dan hacked into the machine well over two weeks ago..)
Hmm, seems their machine is being flooded.
Straight from the website:
We had a sudden influx of script kiddies. Page temporarily offline until the machine is fixed.
This machine resecured courtesy of drow.
Interesting.. maybe it wasn't truely cracked after all. Hehe, that would be neat.
With karma issues,
Matthew
_____________________________________
sortakinda.ca | canadian paraphrasing.
Something like cfengine would be usable to this end; make install should generate a cfengine script that validates the system configuration, with the option of either warning of problems or of fixing them.
If not cfengine, then something else may be usable.
The critical point here is for the tool used to not merely be "a shell script," as those may get diverse in style to the point of unreadability. The validation needs to be in more of a descriptive style so that it doesn't get unreadable.
If you're not part of the solution, you're part of the precipitate.
503010 loggin attempts that would take about 6 days assuming they worked ass backwords at one attempt per second. I wonder what kind of password gen they used?
So what exactly does this contest prove? Not that the box is secure. All it means is that the 31337 hax0r dudes couldn't find a script to gain root. How many people actually think that the real black hats will stop trying to transfer funds from NationsBank long enough to really try and brake this machine. And even if master hackers did get root why would they bother to boast about it with some lame "U R Ow3nd!" page? Most likley they'd use the information to hack other boxes.
So take these "security challenges" with a grain of salt. And please, no "Why doesn't every vendor do this." posts.
G.H.
I do not want what YOU haven't got.
Just wait till some crappy band steals your nic.
> A far better solution would be to not install ANY servers by default -- let the user go in and install them after the install if he wants them.
i have linuxppc 1999, and they actually do exactly what you suggest. Nothing, not even httpd or telnetd, is turned on by default, and to turn it on you have to go into whatever that file is and uncomment out the lines. Meaning nothing gets enabled unless the user cares..
which is why linuxppc makes such a big deal about their "out of the box" security, since you're no more likely to crack linuxppc "out of the box" than the proverbial server with no network connections buried in a concrete box.. there's nothing there to crack.
i believe that the thing with the crack.linuxppc.org box specifically is that they started out with nothing enabled, and then have been slowly adding services over time in order to make hacking easier..
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
You can tell FP which brand of browser you're targetting (IE, Netscape, WebTV, or a combination), which generation of browser you require as a minimum (version 3.0 and up, or 4.0 and up), which server will be hosting the pages (Apache or IIS), as well as whether or not they use FP Server Extensions. And yes, you can choose a custom option for all of those choices. Now what does this have to do with a "Best Viewed By" banner?
Cheers,
ZicoKnows@hotmail.com
hail eris
Got Rhinos?
There are alternative OS architectures. But they're rare on PCs.
We need one widely used secure OS, just so people can see what one is like.
And please, no "Why doesn't every vendor do this." posts.
Let's be careful with our non-sequiters, there, pardner.
I agree that "cracking contests" like this do NOT prove you have unbreakable security. But that doesn't mean that crack attempts are useless.
For instance, all security experts recommend that you should try to crack your own boxes to test them. How is this different?
---
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
The only people who should be shot are assholes who want to ridicule someone and call them "stupid" just because they're inexperienced. Get off your fucking high horse.
I learned alot from that server. They left just enough running to make it difficult, but possible. Nice to see that the greatest OS and the most powreful CPU make a good team. Too bad the people who designed it didn't make it a little stronger.
=======
There was never a genius without a tincture of madness.
Languages, while not totally irrelevant, are often a bandaid for poor architectural, system, and policy decisions. Writing servers in Python (which is written in C) or in Java (whose JVM is written in C, and whose Java-to-native frontend for GCC is written in C) or in SML, or in Middle Welsh, or in Urdu, will not overcome all the problems of human stupidity, arrogance, and inexperience. The OpenBSD people did the Right and Boring and Horribly Painstaking thing and just audited everything in sight, which is why I'm setting up OpenBSD for my firewall and NAT box. Still, somebody else's empty promises won't keep me from getting 0WN3D, and my own auditing and hardening might not either.
Neither will StackGuard or MultiStack or DDD or assiduous use of MemProf, Checker, Electric Fence, and GDB. People make mistakes, not only in programs to handle incoming packets, but also in automated test harnesses, in compilers, in networking code, in firmware for NICs, in (f00f) CPUs...
I disagree with the "if you think about what you're doing" line of argument (if you think about it hard enough, your system will be infinitely secure cause you'll never write a line of code), but the "just choose a better language" schtick is even worse.
The determined Real Programmer can write Fortran in any language. I personally stick to what I'm reasonably good at (secure distributed transaction processing) and ask other people to audit the shit out of it, then tell the users how to flog me if it breaks. If you're writing daemons for more than just fun and education (i.e. if you think you suck less than I do) I certainly hope you have similar standards... hell, I'm a systems administrator, not even a developer, but I see some real circus acts billing themselves as "developers" these days...
As an aside, my personal take on the Kill-Microsoft bent is that people resent a company whose foundation is "We Know Best" and whose track record indicates "Actually, We Don't, But Pay Us Anyways".
Remember that what's inside of you doesn't matter because nobody can see it.
Please tell me you're not that dense. You see, the version 3 browsers don't support HTML 4.0. Now, you're welcome to stay back in the stone age at 3.2, but you should be aware that things have advanced since then.
Let me make it a little plainer for you - HTML should not have to be targetted to a specific browser. If it's written properly, it will look good in any browser. If you have to "target" it at all, then it's not written properly.
That's garbage. Let me guess, you have absolutely no real world experience, do you? If you did, you'd know that you can write HTML 4.0 compliant pages 'til the cows come home, and Netscape will still choke on it. What's funny is listening to the Netscape users here bitching about some "poorly written" web page that Slashdot linked to, because it shows up mangled on their browsers. Of course it looks great on IE and Opera, but since Netscape gakked on it, they think it's a coding problem.
I would say that the absolute best thing about Mozilla is that it finally puts W3C HTML 4.0-compliant browsers into the hands of people who've been stuck with the current Netscape releases. Because if there's one thing that's been holding back web development, it's Netscape's atrocious lack of support for standards. You just can't sit down and write some HTML 4.0 page and expect it to work under Netscape. That is the main reason why you see "Best viewed with Internet Explorer" banners: not because they're using IE-only extensions, but because they're using W3C-compliant HTML that Netscape can't grokk. Perhaps there should be a "Best viewed with Internet Explorer or Opera" banner, or even "Best viewed with anything but Netscape" for these situations. ;-)
And there's nothing at all wrong with the way FP targets specific browser brands, because most Intranets standardize on a single browser and make use of extensions. These aren't meant to be seen on the Internet and has nothing to do with my question to the original poster, who seemed to imply that FP was capable only of producing proprietary HTML -- he quotes Berners-Lee and takes it to mean that FP is "fucked up, evil, and wrong." They have nothing to do with each other, and he's an idiot for thinking that they do.
Cheers,
ZicoKnows@hotmail.com
This site is very interesting: If you look at "http://www.attrition.org/mirror/attrition" and check the statistics, you will find that almost 65% of all the hacked servers are running NT/IIS. However, if you check "www.netcraft.com", you will see that NT/IIS are only being used on 23.5% of all the Internet servers. This makes me wonder: How can MS claim that nobody did ever make any proof that NT/IIS is less secure than UNIX/Apache ? This is the real world proof that NT is very very insecure !
+++
+++
NO CARRIER
If you want to see the original page, circa November, google still has it cached here. And, it looks like the links on that page still work, so you can go to the credits page and see both the number of successful cracks: 1 in the info box and the additional credit to And Daniel Jacobowitz, because good security isn't always good enough. near the end of the listing.
Nothing for 6-digit uids?
fyi, when Dan cracked the machine, he just made a couple of tiny changes to the credits page (currently online at http://crack.linuxppc.org/credits.shtml). He changed the number of successful cracks to 1, and added this line to the bottom of the credits: "And Daniel Jacobowitz, because good security isn't always good enough."
I have had the good fortune to be able to work with the developer of ProFTPd on a number of projects over the years and I assure you that he is quite competent and experienced. I suspect that you have never worked on a large scale application or you would be very familiar with the method by which bugs manage to work their way into just about any piece of software. I am curious as to your development background. It must certainly be extensive for you to so readily triumph your own programming superiority.
I'm the maintainer/developer of ProFTPD. Just a couple of notes to those who've already responded here:
1) ProFTPD has very loud notices saying that anything before 1.2.0pre8 is not to be considered secure.
2) On the whole, ProFTPD has had far, far, far fewer security issues and exploits out there than any other open-source FTP server. We take security seriously, and have always responded quickly to security issues. The code has undergone a couple of audits now. No, that doesn't mean it's 100% secure, but it does mean we've taken a close look at it, and are endeavoring to make it as secure as we can.
3) ProFTPD, when properly configured, will not run as root or with root privileges except for very limited periods for specific actions. Compiling ProFTPD with capabilities support on Linux is definitely the recommended configuration.
4) The official ProFTPD web site is www.proftpd.net.
5) The latest version of ProFTPD is 1.2.0pre9. 1.2.0final will be out this week sometime.
> Closed source programs should probably never be allowed an setuid bit as closed source programmers tend to be sloppier and their source isn't open to review.
I have to take issue with that statement. I agree that Open source has benifits in public exposure, but please don't assume that all closed source programmers are sloppier just because the public (who 99% don't look at the code) don't see the code. Code Review is an important part of ny software development (open or closed).
See old Atari's come to life stonx.sourceforge.net
...actually, Linux/PPC has had updates for proftpd up for a while (I believe they have it up to pre8 or pre9 right now). But seeing as it was a stock machine, they didn't apply any of the security updates.
An os that hasn't even been released is more secure? I don't think so. When it's out and web servers use it, the bugs will start to come out of the woodwork, and keep in mind how long it takes Microsoft to fix them.
--Have a Johsonville brat.
It also encourages good security.
Plus, this was a 'legit', solicited crack. What's wrong with that?
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)
- Jeff
You cannot speak of the security of an os that has yet to be released or used for a real web server. Rest assured, when it comes out, there will be bugs, and they will take forever to get fixed.
--Have a Johsonville brat.
html of page
See - the Mirror webmaster left the attrition watermark in!
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
</html>
<!-- www.attrition.org web hack mirror - watermark or something -->
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter