Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #16  
Old 26th July 2012, 01:42 PM
stevea Online
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,712
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by droidhacker View Post
What Linux does that neither of the other two do, is it restricts the damage to the specific user account owned by the moron who let the trojan execute.
No -it's restricted only by whatever the context the java applet runs in; and then the subsequent download backdoor may have a similar/same context.

You think only morons are involved in executing code from unknown websites ? "Pride goeth before destruction, and an haughty spirit before a fall." IOW you've got your head in the sand.


Quote:
This does not, in any way, demonstrate a vulnerability in Linux. Nor, is Linux the "target". The target is the MORON AT THE KEYBOARD.
So you do know that browsers typically run javascript w/o constraint - right ? A lot of things most ppl use regularly depend on it. Even worse they toss data at exec'ed processes like a flash plugin or Adobe reader or ... and IF they can create an exploit from that data ... Anytime you run any program on untrusted data you are taking a chance. It doesn't matter if it's an expected email attachment verified from you boss that passes all the filters.

Quote:
Now interestingly, some Linux systems actually do implement a (partial) protection against a moron user. Android isolates each application under its very own user and has a well described set of permissions. What that means is that a trojan is restricted to ITSELF and whatever is accessible by whatever specific set of permissions that the application requests.... so you can instantly know that the "big boobies" application that requests authorization to send SMS messages, read your contact list, and access the internet.... is clearly up to no good.
Meh - Android - at least he 2.3.4 I've worked with does have some reasonable concessions to security withing and between java apps. Native apps run and are far less constrained. A real kernel imposed MAC like this is still needed to catch up to Fedora.
http://www.eweek.com/c/a/Security/NS...licies-324639/
Even that isn't enough when there is such a target rich environment as Android phones.

Quote:
Bottom line: I have no sympathy for "victims" of trojans.
Be sure to scrawl that on your forehead. If you believe that every exploit comes with a big red stop sign that only a moron would ignore - then YOU are the moron.

You ignore that any time you apply a program to uncontrolled data you create a potential for exploit. If you use email, browsers or even yum or use wifi in the wild - then YOU are the moron you've been waiting for.

Some of you suffer from a bad case of this ....
http://en.wikipedia.org/wiki/Hubris
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
  #17  
Old 1st August 2012, 03:09 PM
droidhacker Offline
Registered User
 
Join Date: Oct 2009
Posts: 827
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by stevea View Post
No -it's restricted only by whatever the context the java applet runs in; and then the subsequent download backdoor may have a similar/same context.
In general. Whether its a java applet or a binary executable. And, of course, that context is restricted to the current user's privileges.... so if its a listening backdoor, it is restricted to ports 1024 or higher.

And if the account is severely compromised, the sysadmin can vaporize it while leaving the rest of the system intact.

Quote:
You think only morons are involved in executing code from unknown websites ? "Pride goeth before destruction, and an haughty spirit before a fall." IOW you've got your head in the sand.
As I mentioned, its damage potential is restricted to the user account under which it is being executed.

Quote:
So you do know that browsers typically run javascript w/o constraint - right ? A lot of things most ppl use regularly depend on it. Even worse they toss data at exec'ed processes like a flash plugin or Adobe reader or ... and IF they can create an exploit from that data ... Anytime you run any program on untrusted data you are taking a chance. It doesn't matter if it's an expected email attachment verified from you boss that passes all the filters.
And restricted to the user account under which it is being executed.

Quote:
Meh - Android - at least he 2.3.4 I've worked with does have some reasonable concessions to security withing and between java apps. Native apps run and are far less constrained. A real kernel imposed MAC like this is still needed to catch up to Fedora.
http://www.eweek.com/c/a/Security/NS...licies-324639/
Even that isn't enough when there is such a target rich environment as Android phones.
From what I read, that is basically an override of the requested permission set. I.e., application requests permission to access camera, se-android says "fook off". In general, Android offers a set of permissions, and it is up to the USER to decide whether they trust the software developer with those permissions.

You simply CAN'T get beyond this concept and continue to offer a computer that can actually be used for general purpose computing.

Look, we know that NOTHING is INVULNERABLE. That isn't the point I'm making AT ALL.

Quote:
Be sure to scrawl that on your forehead. If you believe that every exploit comes with a big red stop sign that only a moron would ignore - then YOU are the moron.
Where did I say that? I never said that it was universally TRIVIAL to spot attempted exploits, but that it is absolutely the USER's responsibility.

Quote:
You ignore that any time you apply a program to uncontrolled data you create a potential for exploit. If you use email, browsers or even yum or use wifi in the wild - then YOU are the moron you've been waiting for.
Not at all. Only if the program you're applying does something potentially dangerous with that data. If it does, you'd better damned well take precautions to limit the reach of the damage, such as NOT RUNNING IT AS ROOT, or not running it as a user with access to sensitive information, or sandboxing it in a virtual machine, or running it on a standalone bare metal that you're going to blank out immediately after you're completed.

If you're a computer user who likes to use KEYGEN's (on wondoze) to pirate software, you're probably best off running it on a machine that you're OK with blanking out IMMEDIATELY after running it.... or run it in a chroot jail from a new/blank user account under wine without any network access and then vaporize it when you're done with it.


In order for a computer to be USEFUL, the user MUST have the option to run things that are potentially dangerous. USER'S RESPONSIBILITY to THINK about what they're doing and not fall for cheap exploits.

Last edited by droidhacker; 1st August 2012 at 03:17 PM.
  #18  
Old 1st August 2012, 03:50 PM
pete_1967 Online
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,273
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by droidhacker View Post
As I mentioned, its damage potential is restricted to the user account under which it is being executed.


And restricted to the user account under which it is being executed.
http://en.wikipedia.org/wiki/Privilege_escalation
http://searchsecurity.techtarget.com...alation-attack

'nuff said.
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
  #19  
Old 1st August 2012, 04:21 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,784
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

And those are exactly what SELinux defends against.
  #20  
Old 1st August 2012, 09:03 PM
Fenrin Offline
Registered User
 
Join Date: Apr 2010
Location: Earth
Posts: 892
linuxopera
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

There is a NVIDIA Linux binary exploit that gives Root Access. The anonymous user claims that he gave the exploit to NVIDIA more than 1 month ago. nvidia linux binary driver priv escalation exploit

just a few month ago Nvidia closed a high-risk security flaw: NVIDIA 295.40 Closes High-Risk Security Flaw
and a few years back: NVIDIA Driver Security Exploit

It seems the closed source Catalyst driver is a bit better with hiding its secret security holes (or it doesn't have any, which is probably rather unlikely).
  #21  
Old 2nd August 2012, 12:36 AM
pete_1967 Online
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,273
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by jpollard View Post
And those are exactly what SELinux defends against.
And of course SELinux is perfect and bug free and policies are always faultless and everyone has it always enabled...
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
  #22  
Old 2nd August 2012, 08:18 AM
Yellowman
Guest
 
Posts: n/a
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by Fenrin View Post
There is a NVIDIA Linux binary exploit that gives Root Access. The anonymous user claims that he gave the exploit to NVIDIA more than 1 month ago. nvidia linux binary driver priv escalation exploit

just a few month ago Nvidia closed a high-risk security flaw: NVIDIA 295.40 Closes High-Risk Security Flaw
and a few years back: NVIDIA Driver Security Exploit

It seems the closed source Catalyst driver is a bit better with hiding its secret security holes (or it doesn't have any, which is probably rather unlikely).
It's true


http://pastebin.com/Gg0LBBUA

Code:
[leigh@main-pc Desktop]$ ./nvidia[*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff81deadc0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...[*] Have root, will travel..
sh-4.2# whoami
root
sh-4.2#

Last edited by Yellowman; 2nd August 2012 at 08:31 AM.
  #23  
Old 2nd August 2012, 10:35 AM
stevea Online
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,712
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by droidhacker View Post
In general. Whether its a java applet or a binary executable. And, of course, that context is restricted to the current user's privileges.... so if its a listening backdoor, it is restricted to ports 1024 or higher.
So what ? That particular exploit was reported to download some sort of shell and then create an outbound tcp connection to the badguys. It need not listen on any port for that. On nearly every PC there is a 'main user' and if you keylog them, or scan the users I/O then you've taken all the valuables.

Quote:
And if the account is severely compromised, the sysadmin can vaporize it while leaving the rest of the system intact.
Thats great thinking if you running a corporate network or a 1970s timeshare system, but if YOU are the main PC user, and YOU use it for say online banking, and if YOU are compromised with a keylogger - then no sysadmin can help. The problem isn't that you need to eliminate the exploit and tainted account - the problem is that your valuables are gone.

Of course the corporate admin should also be concerned that all the company secrets that the exploited user had access to are also compromised and no amount of account wiping will fix that either.

In short - who cares if "rest of the system intact", after the badguys take all the value. "You lose millions but at least you don't need to scrub to bare metal" is not a good outcome.

Quote:
As I mentioned, its damage potential is restricted to the user account under which it is being executed.
Right - so they steal YOUR bank account, credit cards and retirement savings, YOUR company secrets but they can't subvert the system as part of a DoS attack. Does that sound like a good outcome ???

Quote:
From what I read, that is basically an override of the requested permission set. I.e., application requests permission to access camera, se-android says "fook off". In general, Android offers a set of permissions, and it is up to the USER to decide whether they trust the software developer with those permissions.
It does assign DAC uids for processes, but since these are DAC and not MAC it means IF the process is subverted then the restrictions can be removed. It's not as tight as SELinux.


Quote:
You simply CAN'T get beyond this concept and continue to offer a computer that can actually be used for general purpose computing.
Sure you can. But it involves MAC and contract based transactions and other features that are still 'in development'.




Quote:
Where did I say that? I never said that it was universally TRIVIAL to spot attempted exploits, but that it is absolutely the USER's responsibility.
Go re-read your post#3 where you mock victims of trojans describing them as morons. You apparently don't understand that we all apply uncontrolled data to potentially exploitable programs with sufficient privilege (even under SELinux) all day long and therefore an exploit is quite possible with no particular moronic behavior on the part of the user.

You browse to a webpage with a jpeg image and the jpeg exploits a vulnerability in the image display software and POOF - all your keystrokes are going to Russia. All the exploit needs is access to the X11 and the network for client tcp, and SELinux certainly allows that.

It is NOT moronic to use a browser and view an image, and that could be all that is required.
You can't blame the user for not avoiding such an exploit - thats ridiculous.
It would be very nice to sandbox all the browser accesses & plug-ins more tightly that we currently do - but even that isn't going to provide perfect protection - merely isolation. That doesn't solve the "lost valuables" problem.

Quote:
Not at all. Only if the program you're applying does something potentially dangerous with that data. If it does, you'd better damned well take precautions to limit the reach of the damage, such as NOT RUNNING IT AS ROOT, or not running it as a user with access to sensitive information, or sandboxing it in a virtual machine, or running it on a standalone bare metal that you're going to blank out immediately after you're completed.
FAIL ! You really don't understand the issues.

Of course these programs do something potentially dangerous by design. Think real hard about what yum does and then tell us how you do this job w/o privilege or virtualized or sandboxed - impossible. If someone slips a bad package into the repos with a proper signature - you are seriously boned and there is no reprieve. If repo is hacked and someone installs a repodata that uses an exploit inside your yum binary - then you are seriously boned with no reprieve.

Consider your email client or your browser. These take UNCONTROLLED data and process it, so if there is any potential exploit in the data processing code then they can be subverted, and these each typically have access to X11 and to the network and perhaps user files making the potential damage severe.

If you run your browser in a sandbox - this only prevents the scope of the exploit. The exploit can't impact the rest of the system or even the rest of the users files - but it can keylog X11 and send the keystrokes out via internet. This doesn't make online money accounts any safer than no sandbox. I know people who do online banking from a bootable CD/browser - the ideal sandbox - just to avoid any installable exploit - but that doesn't prevent dynamic exploits. If you view the bad jpeg before banking - you may well lose your authentication. Sandboxing isolates damage, prevent access to local data, but does not prevent exploits, merely restricts their access.

Quote:
In order for a computer to be USEFUL, the user MUST have the option to run things that are potentially dangerous.
Yes - users MUST be able to do things that are potentially dangerous - like change their files or send/receive data on the inet, or use X11, enter authentications.

Quote:
USER'S RESPONSIBILITY to THINK about what they're doing and not fall for cheap exploits.
FAIL ! All the thinking in the world cant tell you that the Logo jpeg in the corner of your bank's login page contains a mozilla display code exploit that creates a keylogger. This is not a case where more caution is helpful. Assigning this responsibility to the user's caution when there are zero warning signs is a ridiculous assessment of blame.

Yes - in the most typical cases the user's caution MAY avoid an exploit, but this is only true when there are warning signs. Such warning signs can be entirely absent even when an exploit is present.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
  #24  
Old 2nd August 2012, 12:20 PM
Yellowman
Guest
 
Posts: n/a
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by Yellowman View Post
It's true


http://pastebin.com/Gg0LBBUA

Code:
[leigh@main-pc Desktop]$ ./nvidia[*] IDT offset at 0xffffffff81dea000[*] Abusing nVidia...[*] CVE-2012-YYYY[*] 64-bits Kernel found at ofs 0[*] Using IDT entry: 220 (0xffffffff81deadc0)[*] Enhancing gate entry...[*] Triggering payload...[*] Hiding evidence...[*] Have root, will travel..
sh-4.2# whoami
root
sh-4.2#
At least ssh is safe from from this exploit as it requires X to be running directly to work. i.e it's local only
  #25  
Old 2nd August 2012, 01:50 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,784
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by pete_1967 View Post
And of course SELinux is perfect and bug free and policies are always faultless and everyone has it always enabled...
not perfect, not faultless, but that is what it is designed for and it works quite well as isolating user faults from the system.

Having it enabled is up to the owner of the system.
  #26  
Old 2nd August 2012, 03:53 PM
droidhacker Offline
Registered User
 
Join Date: Oct 2009
Posts: 827
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Quote:
Originally Posted by stevea View Post
So what ? That particular exploit was reported to download some sort of shell and then create an outbound tcp connection to the badguys. It need not listen on any port for that. On nearly every PC there is a 'main user' and if you keylog them, or scan the users I/O then you've taken all the valuables.



Thats great thinking if you running a corporate network or a 1970s timeshare system, but if YOU are the main PC user, and YOU use it for say online banking, and if YOU are compromised with a keylogger - then no sysadmin can help. The problem isn't that you need to eliminate the exploit and tainted account - the problem is that your valuables are gone.

Of course the corporate admin should also be concerned that all the company secrets that the exploited user had access to are also compromised and no amount of account wiping will fix that either.

In short - who cares if "rest of the system intact", after the badguys take all the value. "You lose millions but at least you don't need to scrub to bare metal" is not a good outcome.



Right - so they steal YOUR bank account, credit cards and retirement savings, YOUR company secrets but they can't subvert the system as part of a DoS attack. Does that sound like a good outcome ???



It does assign DAC uids for processes, but since these are DAC and not MAC it means IF the process is subverted then the restrictions can be removed. It's not as tight as SELinux.




Sure you can. But it involves MAC and contract based transactions and other features that are still 'in development'.






Go re-read your post#3 where you mock victims of trojans describing them as morons. You apparently don't understand that we all apply uncontrolled data to potentially exploitable programs with sufficient privilege (even under SELinux) all day long and therefore an exploit is quite possible with no particular moronic behavior on the part of the user.

You browse to a webpage with a jpeg image and the jpeg exploits a vulnerability in the image display software and POOF - all your keystrokes are going to Russia. All the exploit needs is access to the X11 and the network for client tcp, and SELinux certainly allows that.

It is NOT moronic to use a browser and view an image, and that could be all that is required.
You can't blame the user for not avoiding such an exploit - thats ridiculous.
It would be very nice to sandbox all the browser accesses & plug-ins more tightly that we currently do - but even that isn't going to provide perfect protection - merely isolation. That doesn't solve the "lost valuables" problem.



FAIL ! You really don't understand the issues.

Of course these programs do something potentially dangerous by design. Think real hard about what yum does and then tell us how you do this job w/o privilege or virtualized or sandboxed - impossible. If someone slips a bad package into the repos with a proper signature - you are seriously boned and there is no reprieve. If repo is hacked and someone installs a repodata that uses an exploit inside your yum binary - then you are seriously boned with no reprieve.

Consider your email client or your browser. These take UNCONTROLLED data and process it, so if there is any potential exploit in the data processing code then they can be subverted, and these each typically have access to X11 and to the network and perhaps user files making the potential damage severe.

If you run your browser in a sandbox - this only prevents the scope of the exploit. The exploit can't impact the rest of the system or even the rest of the users files - but it can keylog X11 and send the keystrokes out via internet. This doesn't make online money accounts any safer than no sandbox. I know people who do online banking from a bootable CD/browser - the ideal sandbox - just to avoid any installable exploit - but that doesn't prevent dynamic exploits. If you view the bad jpeg before banking - you may well lose your authentication. Sandboxing isolates damage, prevent access to local data, but does not prevent exploits, merely restricts their access.



Yes - users MUST be able to do things that are potentially dangerous - like change their files or send/receive data on the inet, or use X11, enter authentications.



FAIL ! All the thinking in the world cant tell you that the Logo jpeg in the corner of your bank's login page contains a mozilla display code exploit that creates a keylogger. This is not a case where more caution is helpful. Assigning this responsibility to the user's caution when there are zero warning signs is a ridiculous assessment of blame.

Yes - in the most typical cases the user's caution MAY avoid an exploit, but this is only true when there are warning signs. Such warning signs can be entirely absent even when an exploit is present.
Blah blah blah, READ THE F***ING CODE.
If you aren't smart enough to protect yourself, you deserve whatever you do to yourself.

Incompetence is not an excuse.
  #27  
Old 2nd August 2012, 05:29 PM
Dan Online
Administrator
 
Join Date: Jun 2006
Location: Paris, TX
Posts: 23,220
linuxfirefox
Re: Cross-platform Trojan attacks Windows, Intel Macs, Linux

Well ... this one's about run it's useful course.

Thread closed.
Closed Thread

Tags
attacks, crossplatform, intel, linux, macs, trojan, windows

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cross-Platform Networking Kamikaze78 Servers & Networking 2 22nd November 2006 01:30 PM
cross-platform filesystems? mcake Using Fedora 1 13th August 2006 01:18 AM
Installing a linux distribution on the Intel Macs Scytale Linux Chat 5 17th March 2006 11:39 AM
cross platform C or C++ API for linux and Win32 tcma Using Fedora 5 10th December 2004 10:39 PM


Current GMT-time: 12:45 (Tuesday, 29-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat