[conspire] linux antivirus?

Blue Boar BlueBoar at thievco.com
Thu Sep 11 18:37:49 PDT 2003

Rick Moen wrote:

> (FYI, dates cited for the 1i0n and lpdw0rm appearances refer to the
> _first_ versions of each, per my googling.  That googling is not
> guaranteed infallible:  I didn't exactly do a major research project on
> this stuff.)
> OK, we're talking about poorly maintained Red Hat boxes again; I can
> tell.  How?  Because this was a canned 'sploit in April 2001, targeted
> almost entirely at Red Hat 7.0 boxes still running a ridiculously
> long-vulnerable version of lprng.  (lprng is a slightly revised version
> of the crufty old BSD lpr print daemon.)

Those were both Red Hat-specific, in that the flavors of shellcode used 
would only work on Red Hat.  (If memory servers at all, the vuln affected a 
couple of other distros, too.)

> Now, I have a question for you:  Why the _hell_ would anyone with an
> ounce of common sense _not only_ turn on a notoriously vulnerable,
> obsoletely designed[1] print daemon, but also leave it accessible from
> the global Internet?

I can think of three answers: 1) That's the way it installed out of the 
box, 2) Obviously, they had no common sense, 3) What does it matter?  It 
demonstrates my point that, yes, dumb Linux users/admins do exist.

> But wait, it gets better:  The vulnerability that lpdw0rm exploited had
> been discovered in _October 2000_ or earlier.  How do I know this?
> Because that's when RH released package LPRng-3.6.24-2 specifically to
> close it -- labelled as fixing "a critical string format bug".
> Therefore, anyone caught with his pants down by lpdw0rm (any variant)
> had been failing to install a blatantly needed and widely available
> security update for 5+ months -- to fix a hole that had been known for
> at least that long and possibly longer.

Longer, I think I counted 6 months at the time.  So why didn't they patch 
them?  Could it be that, yes, some set of Linux users will exhibit 
behaviour that helps out the Linux malicious code?

> So, I have just about zero sympathy.  We're talking massive negligence,
> here.  

That question was not whether they deserve sympathy, it's whether an 
enviornment that supports a nice, healty collection of malicious code can 
exist on the Linux platform.

At least, that's the question I've been tryin to ask... if you've been 
answering "will deserving Linux users get infected", then I see my mistake.

 >>Most of them get root by popping a root service, too.
> This is not exactly true:  Didn't BIND8 and lprng run in those days as
> SUID-root monolithic binaries?  Therefore, escalating to root wasn't
> required:  The thing was already using root authority, and all you
> needed was something like a string-handling bug to subvert it remotely. 

Yes, that would be my definition of "root service", a network service 
running as root...So the shellcode was running as root.  Sorry if my 
terminology wasn't clear.

So, uh... we're you trying to support your position on the subject, or mine? :)


More information about the conspire mailing list