[sf-lug] Advantages of distro package regimes

Kristian Erik Hermansen kristian.hermansen at gmail.com
Wed Dec 26 11:17:32 PST 2007 

On Dec 26, 2007 1:33 PM, Charles N Wyble <charles at thewybles.com> wrote:
> Your comments above imply that you know something about the security of
> medibuntu. If you know of a vulnerability in there systems or processes
> and do not report it to them you are doing a disservice to the
> community. I certainly hope this is not the case?

It has nothing to do with specific vulnerabilities, although even if I
did know something, it does not mean I am bad for not reporting it.
There are rampant vulnerabilities all over the place, and once you
start looking, it becomes almost a full time job to report all of them
that you see.  In fact, some people make careers in vulnerability
reporting or affiliated commercial ventures.  I have reported lots of
vulnerabilities, and most of the time, no one cares unless it is
something really nefarious.  Now, let's just say that I could attack
medibuntu.org?  OK, so I still don't have the private GPG key perhaps,
but a lot of users routinely override that APT warning.  In this
sense, here is one thing I see wrong with medibuntu that is obvious.
And remember, the more eyes on the resource, the more bugs that will
be revealed (this is bug finding 101).

The domain was recently registered, and only for a year.  Do a whois
if you like to verify.  Also notice that they do implement
ClientTransferProhibited, but not ClientUpdateProhibited.  If I cared
enough, I am sure I could social engineer an update to the DNS records
to point at my rogue server.  With the amount of traffic going to
Ubuntu.com every day, this may not be possible (number of eyes).
However, most people set medibuntu and forget it.  It could be a
matter of days before anyone noticed that it was being redirected.  I
would do it on a holiday weekend if I wanted to be really sneaky.
These things do happen.

Additionally, Medibuntu has a very large attack surface.  This is not
a good thing.  What do I mean?  Here is some evidence for you to
contemplate...

<snip>
root at hermbuntu-desktop:~# nmap -P0 -T5 medibuntu.org -A

Starting Nmap 4.20 ( http://insecure.org ) at 2007-12-26 13:56 EST
Warning: Giving up on port early because retransmission cap hit.
Warning: Servicescan failed to fill info_template (subjectlen: 1448).
Too long? Match string was line 2800: v/Apache httpd/$1/$2
Warning: Servicescan failed to fill info_template (subjectlen: 1448).
Too long? Match string was line 2800: v/Apache httpd/$1/$2
Interesting ports on zeus.flosoft.info (87.98.242.10):
Not shown: 1652 closed ports
PORT      STATE    SERVICE      VERSION
1/tcp     open     tcpwrapped
11/tcp    open     tcpwrapped
15/tcp    open     tcpwrapped
21/tcp    open     ftp          ProFTPD 1.3.0
22/tcp    open     ssh          OpenSSH 4.3p2 Debian 9 (protocol 2.0)
25/tcp    open     smtp         qmail smtpd
53/tcp    open     domain
79/tcp    open     tcpwrapped
80/tcp    open     http         Apache httpd 2.2.3
81/tcp    open     http         Apache httpd 2.2.3
106/tcp   open     pop3pw       poppassd
110/tcp   open     pop3
111/tcp   open     tcpwrapped
119/tcp   open     tcpwrapped
135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
143/tcp   open     imap         Courier Imapd (released 2004)
170/tcp   filtered print-srv
243/tcp   filtered sur-meas
443/tcp   open     http         Apache httpd 2.2.3
445/tcp   filtered microsoft-ds
465/tcp   open     ssl/smtp     qmail smtpd
540/tcp   open     tcpwrapped
635/tcp   open     tcpwrapped
907/tcp   filtered unknown
993/tcp   open     ssl/imap     Courier Imapd (released 2004)
995/tcp   open     ssl/pop3
1080/tcp  open     tcpwrapped
1524/tcp  open     tcpwrapped
2000/tcp  open     tcpwrapped
5193/tcp  filtered aol-3
6667/tcp  open     tcpwrapped
8009/tcp  open     ajp13?
8443/tcp  open     http         Apache httpd
10000/tcp open     http         Webmin httpd
12345/tcp open     tcpwrapped
12346/tcp open     tcpwrapped
27665/tcp open     tcpwrapped
31337/tcp open     tcpwrapped
32772/tcp open     tcpwrapped
32773/tcp open     tcpwrapped
32774/tcp open     tcpwrapped
54320/tcp open     tcpwrapped
2 services unrecognized despite returning data. If you know the
service/version, please submit the following fingerprints at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port110-TCP:V=4.20%I=7%D=12/26%Time=4772A567%P=i686-pc-linux-gnu%r(NULL
SF:,3B,"\+OK\x20Hello\x20there\.\x20<11672\.1198695853 at localhost\.localdom
SF:ain>\r\n")%r(GenericLines,69,"\+OK\x20Hello\x20there\.\x20<11672\.11986
SF:95853 at localhost\.localdomain>\r\n-ERR\x20Invalid\x20command\.\r\n-ERR\x
SF:20Invalid\x20command\.\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port995-TCP:V=4.20%T=SSL%I=7%D=12/26%Time=4772A580%P=i686-pc-linux-gnu%
SF:r(NULL,3B,"\+OK\x20Hello\x20there\.\x20<11713\.1198695876 at localhost\.lo
SF:caldomain>\r\n")%r(GenericLines,69,"\+OK\x20Hello\x20there\.\x20<11713\
SF:.1198695876 at localhost\.localdomain>\r\n-ERR\x20Invalid\x20command\.\r\n
SF:-ERR\x20Invalid\x20command\.\r\n");
Device type: general purpose
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (86%)
Aggressive OS guesses: Linux 2.6.14 - 2.6.17 (86%), Linux 2.4.22
(Fedora Core 1, x86) (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 18 hops
Service Info: Host: default-87-98-242-10; OSs: Unix, Linux

OS and Service detection performed. Please report any incorrect
results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 497.782 seconds
</snip>
-- 
Kristian Erik Hermansen
"I have no special talent. I am only passionately curious."

More information about the sf-lug mailing list