Gentoo Archives: gentoo-desktop

From: Lindsay Haisley <fmouse-gentoo@×××.com>
To: gentoo-desktop@l.g.o
Subject: Re: [gentoo-desktop] Vulnerabilities on an RFC-1918 masqueraded Linux box.
Date: Wed, 23 Mar 2011 18:48:12
In Reply to: Re: [gentoo-desktop] Vulnerabilities on an RFC-1918 masqueraded Linux box. by Roman Zilka
On Wed, 2011-03-23 at 10:44 +0100, Roman Zilka wrote:
> Apart from that, you may once in a while get tempted to open a piece of > spam which just happens to look so legitimate. And this item happened > to contain a 1x1 pixel white image which abused a hole in libmng which > you'd always ignored, because you just never view mng files.
I think you mean "libpng", not "libmng". I can't find any references to the latter. This exploit is apparently a design error in the library and is rated as being of low risk for Linux. You can get your Linux desktop DoS'd, apparently, but I find no reference to a viral infection or a wider system compromise. Reboot and carry on :-) My hypothetical question said "Please cite specific viruses/trojans" which can affect a Linux desktop box. There's a difference between an exploit vulnerability which can open up a box from the inside to intrusion, and persists across reboots, and a vulnerability via an open port or exposed service which requires that the services be accessible from the Internet cloud. A javascript which can lock a box into an infinite loop, or a libpng vulnerability which can effectively DoS a box doesn't rise to this level. Can we assume that there's no port exposure in a box masqueraded on a RFC1918 network? I'm not sure, which is why I posed the question. With perhaps a very few exception these exploits are aimed at MS Windows boxes. Recent Flash vulnerabilities, for instance, are listed as affecting "Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player for Android" but the report goes on to say that "There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows." No mention of Linux, and I can find no references to a web or email borne exploit found in the wild that actually generates an *infection* on a Linux box. Consider this a challenge, if you will, since I'd love to be proved wrong on this last point and learn something. One of the reasons I use Linux is because real infections of any sort via email or web are extremely rare. This isn't to say that they're non-existent, and there's no such thing as absolute security, but prevention of such problems is a matter of keeping up with CERT bulletins. A quick search on US-CERT's website is pretty reassuring. Searching for Linux turns up virtually nothing from the past several years, although I do know that there was a nasty glibc vulnerability not too long ago. There's a difference, however, (subtle as it may be) between getting infected by a virus and getting cracked by an intruder.
> DNSSEC is also on the table nowadays. No firewall will protect you from > spoofed DNS replies that will lead your browser to a malicious site.
We've seen this. I'm not running DNSSEC on my DNS servers but I've taken other measures to avoid cache poisoning on them. One of my clients, using one of RoadRunner's DNS servers, did have this problem, from a Windows box, and got a very fake Google front page!
> Also, you mentioned earlier that you access various VPNs. I don't know > much about VPNs, and topologies and configurations may clearly vary > broadly, but I suppose there can be a setting such that your PC will > get exposed to direct traffic from the VPN peers. NAT or not NAT.
Absolutely! If a skilled cracker were to compromise one of my servers, or one of my clients' servers to which I'm connected via VPN, then I'm a sitting duck, assuming said cracker has the skill to figure out how to traverse the VPN and compromise _my_ Linux security. My VPN's are wide open, for a reason. My question is a hypothetical one, however, regarding general security, and the issue of VPNs relates only to my particular setup. And this involves an "exploit" of a connected box, not a virus/trojan infection, as per my question. One always learns far more from one's failures than from one's successes. My Linux servers _have_ been hacked. The biggest hole on my servers is PHP, and all the break-ins on them have been via large PHP mega-apps (e.g. WordPress). Most recently we had a customer's WordPress installation compromised and the attacker was trying exploit a known vulnerability in the local glibc. He managed only to totally DoS the box and I had to get an on-site admin to re-boot it. I've locked down execute perms on wget, which is what most of these black-hats use to load in their cracking tools, and we've had zero problems since. But this is server stuff, and OT for this forum. -- Lindsay Haisley | "Fighting against human creativity is like FMP Computer Services | trying to eradicate dandelions" 512-259-1190 | (Pamela Jones) |