Crack.LinuxPPC.org Cracked

An anonymous reader noted that it appears that crack.linuxppc.org has been, well, cracked. There is a mirror of the defaced page at here being hosted by attrition.org. The actual box is down as of when I type this. On the upside, it sure took a long time for someone to get in there (I'm still amused that they posted the root password). Jason Haas from LinuxPPC said "The machine is going to Daniel Jacobowitz, who won it legitimately. The subsequent problems occured after Dan installed a backdoor, and have since been cleared up. The original problem was that proftpd-1.2.0pre4 was left running with a /incoming directory."

I'm a little surprised...

[jd]

Warnings about possible security risks of setting -any- anonymous account writable have been around for a while. Even SATAN, which is hardly new, used to complain viciously about that one.

On the other hand, regularly sweeing crack.linuxppc.org with security scanners, to see if there are any holes there could be construed as cheating, as it would present a moving target, which is virtually guaranteed to stay ahead of all currently-known exploits.

However, this -does- show the importance of such sweeps, for mainstream machines, and why it's important to take advisories seriously, either from a scanner, CERT, securityfocus, or the developer.

If you download a package off Freshmeat, which has a huge warning sign glued onto the announcement saying "DO NOT HAVE WRITABLE ANONYMOUS ACCOUNTS", I'd be willing to bet that the developer isn't asking for a plate of scrambled eggs, grits and toast.

why it took so long

[jnazario]

hi all,

it took so damned long not because a hack didn't exist (ProFTPd has been vulnerable for some time) but because the standard method used to crack the, a buffer overflow, probably wasn't written with PPC assembly in mind. most BO's out there are for x86, with a good number for SPARC, as well, but ony recently did some PPC shellcode (along with Alpha shell code) get put out in wide release. after the ProFTPd crack was well known, it became, unfortunately, more of an exercise of security through obscurity.

a link to a recent piece on PPC shellcode is at http://packetstorm.se curify.com/papers/unix/ppc.shellcode.txt. i just checked for proftpd exploits on packetstorm and found quite a few; the presence of a writable incoming/ directory helps a LOT.

so, it still took longer than most challenges out there, and that's why i like LinuxPPC for various servers. that and they're just damn fast.

attrition.org page

[little_blaine]

The defaced page posted by attrition.org is NOT what was done when the machine was first cracked. AFAIK, the web site wasn't defaced when Dan Jacobowitz first cracked the machine, but Dan left a back door open for script kiddies to exploit and said kiddie went and did his "look at me I'm so cool send me email via hotmail - page created with frontpage" act.

Dan's Crack

[mhatle]

A lot of us were on IRC when Dan was trying to crack the box. He realized the exploit in ProFTPd, but it still took many days to come up with the shell code.

Shell code on a PPC is much more difficult to do then intel due to the multiple caches.

Dan intentionally didn't deface the page, all he did was add his name to the end of the credits and update the "cracks" to 1. :)

It was a pretty amazing crack exploiting not only the program, but how the CPU controls the cache. Especially when he could barely use GDB on his own machine to debug it. (GDB got confused with the discrepecies in the cache, and the out of order execution of the CPU.)

Congrats Dan! (FYI Dan hacked into the machine well over two weeks ago..)

linuxppc already awake

[mcc]

> A far better solution would be to not install ANY servers by default -- let the user go in and install them after the install if he wants them.

i have linuxppc 1999, and they actually do exactly what you suggest. Nothing, not even httpd or telnetd, is turned on by default, and to turn it on you have to go into whatever that file is and uncomment out the lines. Meaning nothing gets enabled unless the user cares..
which is why linuxppc makes such a big deal about their "out of the box" security, since you're no more likely to crack linuxppc "out of the box" than the proverbial server with no network connections buried in a concrete box.. there's nothing there to crack.

i believe that the thing with the crack.linuxppc.org box specifically is that they started out with nothing enabled, and then have been slowly adding services over time in order to make hacking easier..

UNIX security is hopeless.

[Animats]

Look. The problem is architecture. Nothing that has servers running as root is ever going to be secure. The amount of trusted software is just too large. The problem is that so many people have seen nothing but the UNIX/NT model of the world that they don't realize there are other ways to design a system.

There are alternative OS architectures. But they're rare on PCs.

• Systems with "mandatory security". This is the feature that gets you above the C level in the Orange Book standards. In the mandatory security world, there is no root login, and as you increase in privilege level, you can read less and less. If you log in as the security officer, you can only read security-officer level files and use special security-officer tools; you can't use the system normally. So viruses, etc. can't leak upwards. Conversely, programs running at high security levels can't write data to lower levels, so classified data can't leak down.
• Transaction processing OSs, the archtype of which is IBM's CICS. Think of an OS architected to run CGI-BIN programs, each in its own protected space.
• Capability-based systems, like EROS and KeyKOS. Unfortunately, the people who write these tend to be incomprehensible. And work on EROS seems to have stopped since the key people graduated. EROS is GPL'd, and someone might pick it up and bring it up to the point that it was usable. Any takers?

  We need one widely used secure OS, just so people can see what one is like.

Re:UNIX security is hopeless.

[Kaufmann]

In capability-based systems, users or user accounts do not "own" processes, per se. There are specific objects that do disk maintainance; these objects possess very specific capabilities that allow it to do manipulate storage, but little else. The user, in turn, acquires capabilities that allow him to tell these objects to do certain things.

Philosophically, capability systems are much more egalitarian than ACL-based systems; they are also much closer to the real world: you don't see "root people" going around doing anything they want to everyone else's property, do you? (Well, actually, you do: they're called the police force. We're working to fix that bug by the next release. :])

ProFTPD

[MacGyver]

I'm the maintainer/developer of ProFTPD. Just a couple of notes to those who've already responded here:

1) ProFTPD has very loud notices saying that anything before 1.2.0pre8 is not to be considered secure.

2) On the whole, ProFTPD has had far, far, far fewer security issues and exploits out there than any other open-source FTP server. We take security seriously, and have always responded quickly to security issues. The code has undergone a couple of audits now. No, that doesn't mean it's 100% secure, but it does mean we've taken a close look at it, and are endeavoring to make it as secure as we can.

3) ProFTPD, when properly configured, will not run as root or with root privileges except for very limited periods for specific actions. Compiling ProFTPD with capabilities support on Linux is definitely the recommended configuration.

4) The official ProFTPD web site is www.proftpd.net.

5) The latest version of ProFTPD is 1.2.0pre9. 1.2.0final will be out this week sometime.