Mitnick on OSS

comforteagle writes "Infamous cracker Kevin Mitnick (turned security consultant) has come out to say that he'd prefer to 'hack' open source code vs proprietary closed code. "Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called 'fuzzing'." He further says that open source is more secure, but leaves you wondering questions if enough people are really interested in securing open source code."

What is Fuzzing?

[PlayCleverFully]

Many of you may be unfamiliar with the term "fuzzing."

I was when I read the article and have done some research and fuzzing is:

What is fuzzing?
- Sending semi-random data to an application
- Semi-random: good enough so it'll look like valid data, bad
enough so it might break stuff
- When people hear "fuzzing" they imediately think http, THERE IS MORE TO FUZZING THAN JUST HTTP !!!
- You can fuzz:
-- Network protocols
-- Network stacks
-- Arguments, signals, stdin, envvar, file descriptors, ....
-- Api's (syscalls, library calls)
-- Files

In general, most of the time it is a waste of time, but if you are "lucky" you could find a vulnerability and maybe with a little more research a way to exploit the code.

More information can be found at this PDF Article - http://static.23.nu/md/Pictures/FUZZING.PDF [23.nu] (Very Large 90+ Pages)

I disagree with his statement...

[IAAP]

"... You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?"

Oh, really? I think so.

In this day and age with all of the security problems (especially with MS), OSS trying to gain market share, I'd think that every OSS coder would be really mindful of any potential holes. Especially if he knew that another developer would be looking at it. I would be really embarassed (if I were a developer) if I got an email saying something to the effect of "Hey dumbass, nice job of preventing buffer overflow there at line: xxx in abcdef.c! Don't worry, no one will EVER exploit that hole!"

Re:Fuzzing and Obfuscation

[MustardMan]

Agreed. It would take a pretty crappy admin to have "./" in his default path, and even crappier to have it BEFORE the /bin and /sbin.

Re:Fuzzing and Obfuscation

[Anonymous Coward]

The machine might slow or freeze but an admin will notice this process and go into the users directory (as root) and type "ps -al" to see all the existing processes. Instead, it executes your "ps" virus

Do any UNIX-style systems ship with the current directory in $PATH for root? That's a stupid thing to do and as far as I'm aware, this practice died out years ago for precisely the reason you describe.

Re:Fuzzing and Obfuscation

[ookaze]

I'm sure there's a hundred things wrong with what I've said, I'm not a hacker

You mean, like what you said there :
The machine might slow or freeze but an admin will notice this process and go into the users directory (as root) and type "ps -al" to see all the existing processes. Instead, it executes your "ps" virus and subsequently, the spinlocking stops with "ps" printed to output with the super user killing "la" and thinking everything is fixed

Of course, unless the superuser deliberately destroyed the security of its Linux and added "." to his PATH, this would never happen, as it would not execute the "ps" in the user's directory.
But I see your point.

Makes no sense

[brunes69]

I'm sure there's a hundred things wrong with what I've said, I'm not a hacker--I just like to point out possible security holes.

Let's dive into what *is* wrong...

First of all, files in your home directory are normally not in your $PATH on any Linux system. Anyone who has their system set up like this, *let alone* having their $HOME have priority over /sbin and /usr/sbin, deserves to be shot.

Secondly, a webserver should (and does by default in any distro I know of) runs as the nobody/httpd/apache/someone user, and does not have a home directory. So any exploit in the web server would not allow you to write a 'la' binary anywhere.

Third, your whole attack scheme is just a big run around for no reason. If you can write a binary called 'la', why wouldn't you just write it as 'ls' in the first place, istead of crossing your fingers and hoping he mistypes? And if you can write a binary to disk, you can also obviously execute it, so why don't you? Why would you wait around? Is it because you hope someone is going to log in as root and run it? Because if that is the case, you will be way out of luck, because root *never* has $HOME in his path (and the webserver shouldn't be able to write to /root anyways).

This isn't how these kinds of attacks work... what *usually* happens is, the buffer overflow allows one to write and execute files as the unprivilidged user. The cracker attacks and does this to gaina remote shell on the machine, as this unprivilidged user. They then use this shell to try to find holes in other system services that may not be remotely exploitable, for example say mysql or postgresql. If mysql is running locally and not set up right, they could use it to gain full superuser privilidge by SELECT'ing to a file. Then, all bets are off.

Why listen to Mitnick?

[penguin-collective]

Why would you listen to anything Mitnick has to say? His attacks were based on social engineering, and he got caught. He's missed nearly a decade of technological development, and he wasn't a technical genius to start with either. And if it hadn't been for Shimomura's and Markoff's success in manipulating and blowing the story out of proportion for their own fame and fortune, Mitnick wouldn't have been more than a footnote.

Re:I disagree with his statement...

[Zphbeeblbrox]

Having contributed to OSS projects and seen the process of contributing. I can say that yes code is generally checked out. A common practice is getting automated emails of CVS/SVN commits and seeing what happened. There are people on projects whose primary job is monitoring those commits. Patches get reviewed before getting put into CVS. But the Primary benefit is the testing. People run the software and report bugs. Lot's of bugs. They find those holes and they find them quicker than in Closed Source development. They use them in production environments (not necessarily for production) and report on real world results across a wide range of platforms and environments. They do those things the developer never expected and report on the results. That kind of asset is nothing to sneeze at. Not every project has this kind of community but the popular ones tend to.

Re:Fuzzing and Obfuscation

[DrSkwid]

plan9 does

but that's because in plan9 there is no way to escalate privileges, because there aren't any privileges to escalate to.

Re:Doublespeak ?

[kesuki]

treat a collection of people as an individual (Is there a fallacy name for this too?)

Yes, http://en.wikipedia.org/wiki/False_dichotomy [wikipedia.org] anytime you create an 'excluded middle' it's a flase dichotomy, so treating the actions of a group of individualas as a 'collective' with a single opinion and trying to point out where they are being 'inconsistant' is ignoring the fact that it's possible for a large group to have two or more subsets of people who believe different points of view are correct.

It also ignores that the opinion is that 'open source allows more people to discover the vulnerabilities so they can be 'repaired' more quickly', that makes 'open source' more secure. it's not some intrinsic nature of open source, it's simply that if an open source project is dedicated to securing code there are plenty fo white hats who will help them find and secure the holes in a timely manner.

An orginization who prefers to favor 'security through obscurity' such as microsoft and would have no intention of 'patching every hole they know about even if it breaks probgram X Y or Z' there is no valid reason to consider open source. One has to Desire to make the code more secure with open source, or else one simply makes exploiting the code easier.