[plug] windows and dhcp

Wed Feb 28 14:05:55 WST 2001

On Wed, Feb 28, 2001 at 01:23:19PM +0800, Leon Brooks wrote:

> >> Actually, the default ``Paranoid'' install for Mandrake 7.2 adds 
> >> `ALL:ALL EXCEPT localhost:DENY'' to /etc/hosts.deny and a portscan 
> >> reveals -nothing-. It also installs a SolarDesigner-patched kernel, 
> >> which fixes about 2/3 of all application buffer overflows - yes, even 
> >> ones which haven't been detected.
> 
> > A *TCP* portscan.  Most DNS utilises UDP so this helps not one iota.
> 
> Well, yes it does help. It performs some attrition on the opportunities 
> for successful attacks. SaMBa is the only other UDP-based service I use 
> (and that I've seen installed by non-admins) with any regularity, and 
> the default installation of SaMBa is not useful to a cracker (at least, 
> not yet).

As I already said, with the attacks on BIND it won't help.  Not only
does it not help with UDP-based DNS queries but it also won't help with
TCP queries either unless named is linked against libwrap.  On the
systems I checked it isn't so tcpwrappers is useless for this.

> It also took nearly a year before the BIND shipped with MDK7.2 was 
> discovered to be vulnerable - something of a record these days - and MDK 
> now installs BIND to run as a separate user (not root) so breaking it is 
> of much more limited use to a cracker.

This makes it the virtual equivalent of having a password-less account
available on your machine.  Not root, just a small step away though.
Thank god you installed Mandrake, huh? ;-)

> > It doesn't stop buffer overflows in general and all those
> > stack smashing exploits can easily be re-written to execute their
> > shellcode on the heap.
> 
> Some can, some can't, but OpenWall does a lot more than simply making 
> the stack non-executable.

I understand that they virtually all can.  I know about the other things
it does too -- my point is still that the default installs of most Linux
distributions are less secure than Windows.  OpenWall doesn't change
that.

> Linus's attitude is ``fix the apps.'' My attitude is ``more layers of 
> security, please!'' So I use kernels with SolarDesigner's patches (and a 
> few others). An interesting future change to Linux software would be the 
> mandatory inclusion of an email address in every application to which 
> the kernel can send email if it prevents a buffer overflow. The 
> down-side would be recieving a million coredumps a day after someone 
> releases a buffer-overflow-dependent trojan.

Sounds like a good DoS. 

> > As non-executable stacks I predict we'll see more exploits written to
> > attempt both and the protection will be worth nothing.
> 
> Yes and no. First off, that's only circumvention of the protection from 
> one aspect of OpenWall. Second off, cracks are now one step harder. 
> Granted, that won't stop *all* crackers - probably won't even stop 
> *most* crackers - but it will exceed the difficulty threshold of *some* 
> crackers, and that's a help.

Once the kiddies have their point and click exploits, it won't stop ANY
crackers.  So what other aspects of OpenWall do you feel will prevent
some kiddy rooting a system with an old version of BIND?

> > This is Outlook-specific and, for what the little it's worth, the
> > vulnerability has been patched.
> 
> *If* you get the latest greatest patches - and what else have M$ missed 
> in Outlook? And shall we consider IE? These and other tools are 
> installed by Windows even if you explicitly tell it not to, so must be 
> considered to be part of the OS.

Undoubtedly they've missed a lot.  I wonder how many more holes there
are in GNU/Linux though.  Probably at least as many.  At least in
Windows 9x they aren't all exposed to the world by default.  Either way,
let's not get carried away speculating about vulnerabilities in Phase 1
of the Window of Exposure -- let's stick to the ones we know exist and
are present on every new Linux install made by hapless newbies the world
over.