one shot remote root for linux?
This is one of them mysterious and rare cases where a non router OS vulnerability may affect network operations. Sometimes news finds us in mysterious yet obvious ways. HD Moore (respected security researcher) set a status which I noticed on my twitter: @hdmoore reading through sctp_houdini.c - one-shot remote linux kernel root - http://kernelbof.blogspot.com/ I asked him about it on IM, wondering if it is real: "looks like that but requires a sctp app to be running" Naturally, I retweeted. Signed, @gadievron
Why are you alining yourself with a computer hacker? I thought you were trying to stop these guys releasing exploits in your line of work? Andrew On Tue, Apr 28, 2009 at 3:10 PM, Gadi Evron <ge@linuxbox.org> wrote:
This is one of them mysterious and rare cases where a non router OS vulnerability may affect network operations.
Sometimes news finds us in mysterious yet obvious ways.
HD Moore (respected security researcher) set a status which I noticed on my twitter:
@hdmoore reading through sctp_houdini.c - one-shot remote linux kernel root - http://kernelbof.blogspot.com/
I asked him about it on IM, wondering if it is real: "looks like that but requires a sctp app to be running"
Naturally, I retweeted.
Signed,
@gadievron
On Tue, Apr 28, 2009 at 6:31 PM, andrew.wallace <andrew.wallace@rocketmail.com> wrote:
Why are you alining yourself with a computer hacker? I thought you were trying to stop these guys releasing exploits in your line of work?
it didn't look like he did (to me)
On Tue, Apr 28, 2009 at 3:10 PM, Gadi Evron <ge@linuxbox.org> wrote:
This is one of them mysterious and rare cases where a non router OS vulnerability may affect network operations.
hrm, in reality a bunch of non-router vulnerabilities affect (to some extent anyway) network operations.
Sometimes news finds us in mysterious yet obvious ways.
HD Moore (respected security researcher) set a status which I noticed on my twitter:
@hdmoore reading through sctp_houdini.c - one-shot remote linux kernel root - http://kernelbof.blogspot.com/
I asked him about it on IM, wondering if it is real: "looks like that but requires a sctp app to be running"
one good thing, practically no sctp deployment... and, hopefully for networking equipment there's already local firewall/acl capability deployed. That said there are a few 'network devices' which are linux based (not just Vyatta! :) ) o Cisco Guards o Arbor Peakflow (at least the X version) o some-route-optmization systems o dns/mail/ntp/blah widgets It's nice to get some notice of this, it's also nice it got fixed in later kernels (who knows what kernel Peakflow-X has deployed or what custom mods happen to it?) Quickly searching <favorite search engine> shows quite a few SCTP/Linux problems reported over at least the last 2.5 years. The one mentioned here seems to be: CVE-2009-0065 reported Jan 5th 2009, only redhat reports back a fix so far (according to mitre). Putting on my Paul Quinn/Roland Dobbins/Darrel Lewis hat - another good argument for infrastructure acls!! :) -chris
-----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Tuesday, April 28, 2009 8:33 PM To: nanog@nanog.org Subject: Re: one shot remote root for linux?
That said there are a few 'network devices' which are linux based (not just Vyatta! :) )
o Cisco Guards o Arbor Peakflow (at least the X version) o some-route-optmization systems o dns/mail/ntp/blah widgets
Cisco ASA's appear to be linux under the hood based on watching versions of ASA804-3/12/19/23/31 boot on the console
On 29/04/2009, at 3:10 PM, Crooks, Sam wrote:
Cisco ASA's appear to be linux under the hood based on watching versions of ASA804-3/12/19/23/31 boot on the console
They are Linux, and run two copies of IOS simultaneously in a VM each. Kind of like how VMWare ESX is Linux - technically it is, but you don't really treat it as such. -- Nathan Ward
Cisco ASA's appear to be linux under the hood based on watching versions of ASA804-3/12/19/23/31 boot on the console
They are Linux, and run two copies of IOS simultaneously in a VM each.
Kind of like how VMWare ESX is Linux - technically it is, but you don't really treat it as such.
Not to nit-pick, but VMware ESX uses RedHat Enterprise Linux for it's service console on versions previous to ESXi. The purpose of the service console is to provide support for booting the ESX Hypervisor which itself IS NOT Linux. It does, however, implement a Linux Driver compatability layer so that un-modified Linux drivers can be used w/ the Vmware ESX Hypervisor. The stated goal of this layer is to allow existing third party drivers to be rapidly added to the ESX Hypervisor w/out a lengthy porting process or a requirement for a company to maintain a completely separate driver source code tree for Vmware ESX. Here is a link to some info on Wikipedia: http://en.wikipedia.org/wiki/VMware_ESX_Server Specifically; "VMware states that the ESX Server product runs on "bare metal".[3] In contrast to other VMware products, it does not run atop a third-party operating system[4], but instead includes its own kernel. Up through the current ESX version 3.5, a Linux kernel is started first[5] and is used to load a variety of specialized virtualization components, including VMware's 'vmkernel' component. This previously-booted Linux kernel then becomes the first running virtual machine and is called the service console. Thus, at normal run-time, the vmkernel is running on the bare computer and the Linux-based service console runs as the first virtual machine (and cannot be terminated or shutdown without shutting down the entire system)." It is a common misconception that the ESX Hypervisor is Linux based, but that is an urban legend.
On Tue, 28 Apr 2009, Gregory Boehnlein wrote:
It is a common misconception that the ESX Hypervisor is Linux based, but that is an urban legend.
Is the ESX Hypervisor useful without the Linux layer? Then, to what extent do "based on" and "depends on" differ in the context of software? --paulj
On Thu, Apr 30, 2009 at 10:28 AM, Paul Jakma <paul@jakma.org> wrote:
On Tue, 28 Apr 2009, Gregory Boehnlein wrote:
It is a common misconception that the ESX Hypervisor is Linux based, but that is an urban legend.
Is the ESX Hypervisor useful without the Linux layer? Then, to what extent do "based on" and "depends on" differ in the context of software?
ESXi doesn't require much Linux (just busybox), but I think the point is that the VMkernel (the hypervisor) and the service console (Linux) are separate entities. The SC is really a VM, so it depends more on VMkernel than VMkernel depends on it. dre
On Thu, 30 Apr 2009, Andre Gironda wrote:
ESXi doesn't require much Linux (just busybox), but I think the point is that the VMkernel (the hypervisor) and the service console (Linux) are separate entities. The SC is really a VM, so it depends more on VMkernel than VMkernel depends on it.
So it's a VM, which is required to be booted in order to be able to load the hypervisor? Seems an unusual definition of VM to me.. Also, which code handles the I/O to load the other, less special, VMs? The Linux fs and block layer, or the VMWare hypervisor? Anyway, I fear we're about to be kicked into touch by the moderators.. regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A
On Apr 30, 2009, at 1:28 PM, Paul Jakma wrote:
Is the ESX Hypervisor useful without the Linux layer? Then, to what extent do "based on" and "depends on" differ in the context of software?
I needed DR-DOS 3 to make NetWare 3.12 boot, but I wouldn't consider it to be "based on DOS".
On 29/04/2009, at 3:25 PM, Nathan Ward wrote:
On 29/04/2009, at 3:10 PM, Crooks, Sam wrote:
Cisco ASA's appear to be linux under the hood based on watching versions of ASA804-3/12/19/23/31 boot on the console
They are Linux, and run two copies of IOS simultaneously in a VM each.
Erk, sorry, I brain farted and was thinking of the ASR. I'm really not sure about the ASA product line. -- Nathan Ward
Greetings all I have a customer running with a Cisco 5500 series firewall. What were seeing (as a problem) is that there is a bit being flipped by the firewall in the packet header. The bit in question is the Congession Window Reduced or CWR bit. Under heavy load the target server is getting this bit as high and since (I am guessing) its that way dropping the session yet its not near capacity. Its a Microsoft server as well. Not that I am knocking that but. Under the same situation a Linux/Apache server doesn't seem to care, and goes about its business. Anyone heard of this? I did searches regarding this but found (as per usual) tons of usless info. I'm not sure why the packets are being changed by the ASA. I know there not hitting the firewall this way (Packet capture) but they are getting changed. Config mishap? Is the ASA throttling down stuff, and if so why not at the requesting party? Dunno. Completely baffled. Thanks In Advance! -Joe
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe - Maybe the middlebox along the path doesn't like tcp window scale parameter being changed in the midway due to dropped tcp connections or something. Could be specific to microsoft server. What does your pix logs show? Have you tried turning off 'tcp window scale' option on your windows server? I believe this is enabled by default[0]. See if you can test this. I've ran into similar problems using pix/nokia fw. Hopefully this helps and you might want to bounce (do not crosspost :)) this thread off cisco-nsp. regards, /virendra [0] http://support.microsoft.com/kb/934430 Jo¢ wrote:
Greetings all
I have a customer running with a Cisco 5500 series firewall. What were seeing (as a problem) is that there is a bit being flipped by the firewall in the packet header. The bit in question is the Congession Window Reduced or CWR bit. Under heavy load the target server is getting this bit as high and since (I am guessing) its that way dropping the session yet its not near capacity. It?s a Microsoft server as well. Not that I am knocking that but. Under the same situation a Linux/Apache server doesn't seem to care, and goes about its business. Anyone heard of this? I did searches regarding this but found (as per usual) tons of usless info. I'm not sure why the packets are being changed by the ASA. I know there not hitting the firewall this way (Packet capture) but they are getting changed. Config mishap? Is the ASA throttling down stuff, and if so why not at the requesting party?
Dunno. Completely baffled. Thanks In Advance!
-Joe
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ+e6DpbZvCIJx1bcRAiYcAKDsGJd2H4QNSB7Leqqc5LwX8Bu78ACgo43T j6t3fKOELjTbgkP0qhBzzwg= =krtL -----END PGP SIGNATURE-----
On Tuesday 28 April 2009 09:33:06 pm Christopher Morrow wrote:
That said there are a few 'network devices' which are linux based (not just Vyatta! :) )
o Cisco Guards o Arbor Peakflow (at least the X version) o some-route-optmization systems o dns/mail/ntp/blah widgets
Add: Cisco Content Engines and anything else that runs ACNS.
On Tue, 28 Apr 2009 23:31:04 BST, "andrew.wallace" said:
Why are you alining yourself with a computer hacker? I thought you were trying to stop these guys releasing exploits in your line of work?
Phrased differently: "The horse has already left the barn, and Gadi is warning you that there's a horse possibly munching on your front lawn already". Which would you rather have if you actually had a network to run - Gadi and HD Moore telling you that the bad guys have a point-and-shoot for the boxes you use to run your net, or them *not* telling you about the point-and-shoot? Hint: Anybody who thinks HD Moore is a major part of the problem is probably more a part of the problem than HD is.
participants (14)
-
Andre Gironda
-
andrew.wallace
-
Christopher Morrow
-
Crooks, Sam
-
Daryl G. Jurbala
-
Gadi Evron
-
Gregory Boehnlein
-
Joel Jaeggli
-
Jo¢
-
Lamar Owen
-
Nathan Ward
-
Paul Jakma
-
Valdis.Kletnieks@vt.edu
-
virendra rode