Linux wins at CanSecWest

Posted By: Ray6 | Mar 30th, 2008 @ 1:07 AM
page 1 of 1
Comments: 24 | Views: 3462
#Mar 30th, 2008 @ 1:07 AM
Ray6
Ray6
On the final day of the PWN 2 OWN contest, only the Linux box was left standing.

Vista fell after 2 days of intensive effort, the winner  used a flaw in the Java runtime to gain control of the Windows box. It wasn't all plain sailing though, Shane McCauley needed help from VMWare's Alexander Sotirov to get his code working. Apparently, Vista SP1 comes with additional security measures that he wasn't expecting. He also got a little help from co-worker Derek Callaway (does this mean they share the computer they won?)

McCauley had this to say about his win:

PC World wrote:
"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."


He chose to work on Windows because having done contract work for Microsoft, he's more familiar with their products.

But onto the winner!

Several attendees attempted to crack the Linux box, but none were successful. However, some of the show's 400 attendees had found bugs in the Linux operating system, but apparently,  didn't want to put the work into developing the exploit code that would be required to win the contest.

Now what is that all about? I thought the whole idea of open source was to get this sort of thing out into the open.

Still a good effort that shows that two other vendors still have some work to do.

McCauley also had something to say about the Mac's showing at the event.

PC World wrote:

Earlier, Miller said that he chose to hack the Mac because he thought it would be easiest target. Vista hacker Macaulay didn't dispute that assertion: "I think it might be," he said.


Full details at PC World


Now I imagine there is going to be some to debate as to whether this is actually a Vista flaw, or a problem with Java. I would say both. The problem is caused by Sun, but it is also Microsoft's job to protect the user from weird behaviour in applications. I wonder if we're going to see increasing use of virtual machines for hijacking purposes.





#Mar 30th, 2008 @ 7:24 AM
ZippyV
ZippyV
Fired Up
Wasn't it Flash that had the flaw?
#Mar 30th, 2008 @ 7:28 AM
CannotResolveSymbol
CannotResolveSymbol
{insert caption here}
Isn't this like the fifth thread about this competition?
#Mar 30th, 2008 @ 7:38 AM
mVPstar
mVPstar
I'm white because I smelt an onion.
I like how the people who know of Linux bugs conveniently decide not to bother exploiting the Linux machine. Wonderful. Perplexed
#Mar 30th, 2008 @ 8:54 AM
Ray6
Ray6
CannotResolveSymbol wrote:
Isn't this like the fifth thread about this competition?


Yup.

#Mar 30th, 2008 @ 10:05 AM
Bass
Bass
Channel 9, best used in moderation
I think I will try Linux. What distros do you guys recommend?
#Mar 30th, 2008 @ 10:26 AM
GoddersUK
GoddersUK
I CAN has cheezburger and you CAN'T has stop me!
Bass wrote:
I think I will try Linux. What distros do you guys recommend?


Search the web and try and find one that will easily support all your hardware.

Gnome pwns kde.
#Mar 30th, 2008 @ 11:22 AM
Xaero_Vincent
Xaero_Vincent
Sexy me
Bass wrote:
I think I will try Linux. What distros do you guys recommend?


Fedora 9 will be released a month from now.

Fedora 9 has lots of new features but the coolest are Ext4, easy encrypted filesystems, support for upgrading the distro,  FreeIPA (an alternative to Active Directory for Linux/Unix, Windows login and authentication), and support for GSM and CDMA broadband cards in NetworkManager.
#Mar 30th, 2008 @ 12:35 PM
thiebaude
thiebaude
For me Ubuntu 7.10 is real good, its the only OS I have on my machine.
Plus they also send me the cd's free of charge, I dont even have to pay shipping, lol.

#Mar 30th, 2008 @ 1:35 PM
Erisan
Erisan
Xaero_Vincent wrote:

Fedora 9 has lots of new features but the coolest are Ext4, easy encrypted filesystems, support for upgrading the distro,  FreeIPA (an alternative to Active Directory for Linux/Unix, Windows login and authentication), and support for GSM and CDMA broadband cards in NetworkManager.

+ Fedora 9 Accepted Features
#Mar 30th, 2008 @ 1:39 PM
blowdart
blowdart
Peek-a-boo
Xaero_Vincent wrote:

Fedora 9 has lots of new features but the coolest are Ext4, easy encrypted filesystems, support for upgrading the distro,  FreeIPA (an alternative to Active Directory for Linux/Unix, Windows login and authentication), and support for GSM and CDMA broadband cards in NetworkManager.


But I already have all of that under Vista *grin*
#Mar 30th, 2008 @ 2:15 PM
Xaero_Vincent
Xaero_Vincent
Sexy me
blowdart wrote:
But I already have all of that under Vista *grin*


LOL. Well you cannot argue with that logic.

But I think its cool how Fedora will soon have the functionability of a domain controller/directory server in which Linux, Unix, OS X, and Windows clients can log into.

FreeIPA will supposibly have a browser configuration interface, in addition to command-line tools.

IIRC, Linux was typically considered a poor choice for authentication servers.
#Mar 30th, 2008 @ 2:21 PM
Bass
Bass
Channel 9, best used in moderation
Xaero_Vincent wrote:

blowdart wrote:But I already have all of that under Vista *grin*


LOL. Well you cannot argue with that logic.

But I think its cool how Fedora will soon have the functionability of a domain controller/directory server in which Linux, Unix, OS X, and Windows clients can log into.

FreeIPA will supposibly have a browser configuration interface, in addition to command-line tools.

IIRC, Linux was typically considered a poor choice for authentication servers.


FreeIPA does it support things like what GPO does in Active Directory?
#Mar 30th, 2008 @ 2:27 PM
stevo_
stevo_
Human after all
Ah cmon guys, congrats to 'linux' for winning something.. even if it is by default..
#Mar 30th, 2008 @ 2:39 PM
Xaero_Vincent
Xaero_Vincent
Sexy me
Bass wrote:
FreeIPA does it support things like what GPO does in Active Directory?


Yes, that is part of the goal of the project: to provide central audit and policy management of users and remote clients.

But I don't expect we'll see anything comparable to group policy in v1.0, which is what we'll see in Fedora 9. I think the first version will mainly be for basic management of users and their authentication credentials.

You'll probably have to wait until FreeIPA 2.0 (Augest 2008) for a full-fledged alternative to Active Directory and Group Policy.
#Mar 30th, 2008 @ 2:54 PM
blowdart
blowdart
Peek-a-boo
Xaero_Vincent wrote:


IIRC, Linux was typically considered a poor choice for authentication servers.


Kerberos would beg to differ Big Smile
#Mar 30th, 2008 @ 3:42 PM
Isshou
Isshou
Ray6 wrote:
On the final day of the PWN 2 OWN contest, only the Linux box was left standing.
...
Several attendees attempted to crack the Linux box, but none were successful. However, some of the show's 400 attendees had found bugs in the Linux operating system, but apparently,  didn't want to put the work into developing the exploit code that would be required to win the contest.

Now what is that all about? I thought the whole idea of open source was to get this sort of thing out into the open.


Come now, if they had written the exploit code then Linux wouldn't have "won" by default Wink. One thing about Linux is that you have no guarantee that two computers (even from the same distro) are set up anywhere near the same and one exploit on one machine may not work on another.

Although without knowing what the bugs were the exploit could have been far too complex to just write on the spot given the time allowed. Just because a bug exists doesn't mean it's easy to turn it into an exploit.

I do find it interesting that they had to resort to a 3rd party app's flaws to attack Vista. I wonder how much if any of the resiliance of Vista itself was from things like UAC (preventing most if not all silent installs) and the various new features to protect the kernel (user mode driver parts, new audio stack, etc).
#Mar 30th, 2008 @ 7:13 PM
cheong
cheong
Isshou wrote:

Although without knowing what the bugs were the exploit could have been far too complex to just write on the spot given the time allowed. Just because a bug exists doesn't mean it's easy to turn it into an exploit.

Yup. One of the point on be able to compile your customized (different switches/ patch levels) packages is that, when an unknown exploit is discovered, the hole in your copy of software could have a different effective entry point. So chances are your exploitable service being knocked down during the first wave of automated attack instead of having your system compromised.

Writing automated attack for a single hole in Linux can be complicated because for every single version, there could be hundreds of switches/patch level combinations available in the public (note that even if a package maintainer group does not have patches, each distros may make their patches to make it compatible on their configurations). But running once the attack on the target server can bring it down immediately.

So given limited time, it's not easy to compromise a Linux target unless you know how the owner has built it.

#Mar 30th, 2008 @ 7:47 PM
Xaero_Vincent
Xaero_Vincent
Sexy me
cheong wrote:
Yup. One of the point on be able to compile your customized (different switches/ patch levels) packages is that, when an unknown exploit is discovered, the hole in your copy of software could have a different effective entry point. So chances are your exploitable service being knocked down during the first wave of automated attack instead of having your system compromised.

Writing automated attack for a single hole in Linux can be complicated because for every single version, there could be hundreds of switches/patch level combinations available in the public (note that even if a package maintainer group does not have patches, each distros may make their patches to make it compatible on their configurations). But running once the attack on the target server can bring it down immediately.

So given limited time, it's not easy to compromise a Linux target unless you know how the owner has built it.


This is true.

But I'll add, a prereq for exploitable holes in distributions like RHEL and Fedora would be to bypass all the additional security mechnisms before a successful compromized system can occur. Depending on the nature of the hole, it may or may not be difficult to workaround these security layers.

However, even after all the odds are beaten, how long do you think a security hole in a FOSS product (let alone one thats knowingly exploited) go unpatched for? A couple days to a week?

Despite some dumb Linux zealots who think Linux/Unix is immune, all credable distribution vendors know better and never screw around when it comes to patching; even the Ubuntu team has this part right.
#Mar 30th, 2008 @ 9:53 PM
rjdohnert
rjdohnert
You will never know success until you know failure
PC/OS  http://pc-os.org

OpenSuse http://opensuse.org

if you dont have a CS degree, dont bother with Fedora 9

Bass wrote:
I think I will try Linux. What distros do you guys recommend?
#Mar 31st, 2008 @ 2:41 AM
cheong
cheong
rjdohnert wrote:
PC/OS  http://pc-os.org

OpenSuse http://opensuse.org

if you dont have a CS degree, dont bother with Fedora 9

While I do agree Fedora series need some in depth computer knowledge to use smoothly and setup correctly, the funny (or not so funny) thing is that I do not have any university degree of any kind.

For anyone plan to stay long with Linux, self-learning is important.

#Mar 31st, 2008 @ 10:24 AM
Xaero_Vincent
Xaero_Vincent
Sexy me
rjdohnert wrote:
if you dont have a CS degree, dont bother with Fedora 9


I don't agree with that assertion.

Fedora, especially the latest incarnations, are no more difficult to use than other distributions.

Its just that Fedora doesn't come with proprietary drivers and media codecs by default.

OpenSUSE might have a more comprehensive GUI tools--YaST but it's hardly a silver bullet.
#Mar 31st, 2008 @ 1:50 PM
GoddersUK
GoddersUK
I CAN has cheezburger and you CAN'T has stop me!
Xaero_Vincent wrote:
Its just that Fedora doesn't come with proprietary drivers and media codecs by default.


Read: "Is completely crippled"
#Mar 31st, 2008 @ 7:05 PM
cheong
cheong
GoddersUK wrote:


Read: "Is completely crippled"

Well, it depends on how do you look at it.

Windows XP (or even Vista) also don't come with many codec installed by default. That's why you need something like the k-brand codec pack.

On the other hand, I don't really want the commercial server have something useless like lossless codec be installed by default.

I don't think having to download something when needed is "crippled", but I have no problem if you think otherwise.

Anyway, if you ever need something not come with Fedora install disk, there's always freshmeat and at very good chance you can find the package you need there. *importing yum repo*

page 1 of 1
Comments: 24 | Views: 3462
Microsoft Communities