[plug] windows and dhcp

Leon Brooks leon at brooks.fdns.net
Wed Feb 28 13:23:19 WST 2001 

Christian wrote:

> On Wed, Feb 28, 2001 at 10:46:01AM +0800, Leon Brooks wrote:
>  
> 
>>> Does Windows 9x run a DHCP server??
>> 
>> No, it runs a DHCP client which believes anything you tell it.
> 
> 
> A bit like DNS really...
> 
> 
>>> And if you were running a default install of Windows then those FTP and
>>> DNS probes would have zilch effect.  As I said, the default installs of
>>> most Linux distributions would be vulnerable to a remote root exploit.

>> Actually, the default ``Paranoid'' install for Mandrake 7.2 adds 
>> `ALL:ALL EXCEPT localhost:DENY'' to /etc/hosts.deny and a portscan 
>> reveals -nothing-. It also installs a SolarDesigner-patched kernel, 
>> which fixes about 2/3 of all application buffer overflows - yes, even 
>> ones which haven't been detected.

> A *TCP* portscan.  Most DNS utilises UDP so this helps not one iota.

Well, yes it does help. It performs some attrition on the opportunities 
for successful attacks. SaMBa is the only other UDP-based service I use 
(and that I've seen installed by non-admins) with any regularity, and 
the default installation of SaMBa is not useful to a cracker (at least, 
not yet).

It also took nearly a year before the BIND shipped with MDK7.2 was 
discovered to be vulnerable - something of a record these days - and MDK 
now installs BIND to run as a separate user (not root) so breaking it is 
of much more limited use to a cracker.

Mandrake also include easy and/or automated updating utilties, so any 
system using these would be updated within hours or days of the 
vulnerability becoming known, and will be again if any future 
vulnerability arises. I guess the same protection arrives with Debian, 
and would be surprised if RedHat aren't up to speed on it yet.

> As for the Openwall kernel patch, it makes the stack non-executable
> which stops buffer overflows that execute on the stack, i.e., most stock
> exploits.

It does several other things to make breakage harder, and to slow 
post-breakage cracker progress.

> It doesn't stop buffer overflows in general and all those
> stack smashing exploits can easily be re-written to execute their
> shellcode on the heap.

Some can, some can't, but OpenWall does a lot more than simply making 
the stack non-executable.

> It's a band aid security measure, nothing more
> -- this is why it hasn't made it into the official kernels.

Linus's attitude is ``fix the apps.'' My attitude is ``more layers of 
security, please!'' So I use kernels with SolarDesigner's patches (and a 
few others). An interesting future change to Linux software would be the 
mandatory inclusion of an email address in every application to which 
the kernel can send email if it prevents a buffer overflow. The 
down-side would be recieving a million coredumps a day after someone 
releases a buffer-overflow-dependent trojan.

> As non-executable stacks I predict we'll see more exploits written to
> attempt both and the protection will be worth nothing.

Yes and no. First off, that's only circumvention of the protection from 
one aspect of OpenWall. Second off, cracks are now one step harder. 
Granted, that won't stop *all* crackers - probably won't even stop 
*most* crackers - but it will exceed the difficulty threshold of *some* 
crackers, and that's a help.

>>> At least with Windows the user has to run malicious code to give a
>>> remote attacker complete control over their machine.

>> No, all the user has to to is *receive* (not even read) email. Complete 
>> service, we come to you... open wide!

> This is Outlook-specific and, for what the little it's worth, the
> vulnerability has been patched.

*If* you get the latest greatest patches - and what else have M$ missed 
in Outlook? And shall we consider IE? These and other tools are 
installed by Windows even if you explicitly tell it not to, so must be 
considered to be part of the OS.

>> -- 
>> I bought a new computer;
>> it came fully loaded.
>> The warranty was for 90 days,
>> but in 30 't'was outmoded.

> So you put Linux on it? ;-)

(-:

``O poor miserable me, my gateway box is only a 1GHz Athlon... and it 
runs Linux so I have to fire up a raytracer (or lock up Netscape) if I 
want my coffee warmed...''

-- 
I don't know what's scarier - losing nuclear weapons or that it
happens so often that we have a name for it. -- Giles Prentice, "Broken 
Arrow"

More information about the plug mailing list