[TUHS] History of exploits - request for authors

[TUHS] History of exploits - request for authors

[Arrigo Triulzi]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1191 bytes --]

Dear all,

I am starting a new “history” section of the “weird machines and security” publication PoC||GTFO (https://www.alchemistowl.org/pocorgtfo for my mirror, https://www.nostarch.com/gtfo for a printed compilation of the first 15 issues).

Ideally we would like some articles about the history of security exploits where the historical importance is emphasised: we always get authors willing to tell us about the latest and greatest web exploit but they often lack any historical perspective about what has been done before.

As PoC||GTFO has a strong emphasis on weird machines and generally forgotten hardware and software I thought that the contributors to TUHS would be ideally placed to write something about their preferred security exploits in the past. I have fond memories of taking over a machine using and NFS /home filesystem exported to the wide-world, of someone trying to hack into my MasPar via the DEC Ultrix which controlled it, etc. but I am really rather interested in other perspectives.

I hope a few of you will want to contribute something to the collection, there is still space for the January 2018 edition if anyone is so inclined.

Cheers,

Arrigo

[TUHS] History of exploits - request for authors

[Dave Horsfall]

On Mon, 18 Dec 2017, Arrigo Triulzi wrote:

[...]

> I hope a few of you will want to contribute something to the collection, 
> there is still space for the January 2018 edition if anyone is so 
> inclined.

Depends on exactly what you want; I don't have time to document my, err, 
past before your deadline, but my favourites under Edition 6 would be:

     Planting 0 into u.u_uid via the switch register (physical access reqd).

     Planting same, but by sending a negative signal to yourself.

     And the usual run of insecure directory permissions etc.

     Planting trojans such as "pwd" called with 17 args (and same size!).

     Leaving a "login" simulator on a terminal (quite common).

And on KRONOS, you could get system privileges quite easily on a terminal.

With OS/360, you dumped low memory and traced where "SVC 254" went.

Is that the sort of stuff you're after?

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] History of exploits - request for authors

[Larry McVoy]

So the only one I was involved in was the CVS hack to the Linux kernel
source tree.  This was back in the early 2000's and the kernel used
my SCM system, BitKeeper, but there were people who didn't like the 
license.  We built an exporter that exported the history to CVS (it
was a pretty nice exporter, on a per file basis it would find the 
longest path through a DAG and export that since CVS was straight
line, not a DAG.)

Me being me, I trusted nothing, so as part of the export process I
compared the checked out BitKeeper tree to the checked out CVS tree.
And found that someone had broken into the machine that hosted the
CVS tree and stuck a back door into the source.

https://www.linux.com/news/linux-kernel-development-process-thwarts-subversion-attempt

I take umbrage at the reporting there, they said it was many eyes (the open
source mantra) that found it, that's bullshit, it was my eyes that found it.

On Mon, Dec 18, 2017 at 11:31:40AM +0100, Arrigo Triulzi wrote:
> Dear all,
> 
> I am starting a new ???history??? section of the ???weird machines and security??? publication PoC||GTFO (https://www.alchemistowl.org/pocorgtfo for my mirror, https://www.nostarch.com/gtfo for a printed compilation of the first 15 issues).
> 
> Ideally we would like some articles about the history of security exploits where the historical importance is emphasised: we always get authors willing to tell us about the latest and greatest web exploit but they often lack any historical perspective about what has been done before.
> 
> As PoC||GTFO has a strong emphasis on weird machines and generally forgotten hardware and software I thought that the contributors to TUHS would be ideally placed to write something about their preferred security exploits in the past. I have fond memories of taking over a machine using and NFS /home filesystem exported to the wide-world, of someone trying to hack into my MasPar via the DEC Ultrix which controlled it, etc. but I am really rather interested in other perspectives.
> 
> I hope a few of you will want to contribute something to the collection, there is still space for the January 2018 edition if anyone is so inclined.
> 
> Cheers,
> 
> Arrigo

-- 
---
Larry McVoy            	     lm at mcvoy.com             http://www.mcvoy.com/lm 

[TUHS] History of exploits - request for authors

[Derek Fawcus]

On Tue, Dec 19, 2017 at 12:08:21PM +1100, Dave Horsfall wrote:
> 
>      Leaving a "login" simulator on a terminal (quite common).

Well if you include that one, you may want to include the simple
brute force testing of passwords against /etc/passwd
(before shadow files existed). The login name and real names
(direct or reversed) would tend to get at least one hit.

DF

[TUHS] History of exploits - request for authors

[Derek Fawcus]

A version independent, but terminal dependent one was using the echo
status line back to input mechanism of some terminals.

When combined with getting the victim to to copy a setuid stub,
one would get permanent access to their account - until root did a fs sweep
looking for unusual setuid programs.

DF

[TUHS] History of exploits - request for authors

[Ron Natalie]

Hence the CTL-ALT-DEL log in feature of NT  (and later windows).    I
remember when the beta NTs came out and I loaded up countless floppies to
see the Windows NT "Preliminary" logo come up
and then a pop up telling me to type CTL-ALT-DEL to log in.



-----Original Message-----
From: TUHS [mailto:tuhs-bounces@minnie.tuhs.org] On Behalf Of Derek Fawcus
Sent: Tuesday, December 19, 2017 3:17 PM
To: The Eunuchs Hysterical Society
Subject: Re: [TUHS] History of exploits - request for authors

On Tue, Dec 19, 2017 at 12:08:21PM +1100, Dave Horsfall wrote:
> 
>      Leaving a "login" simulator on a terminal (quite common).

Well if you include that one, you may want to include the simple brute force
testing of passwords against /etc/passwd (before shadow files existed). The
login name and real names (direct or reversed) would tend to get at least
one hit.

DF

[TUHS] History of exploits - request for authors

[Dave Horsfall]

On Tue, 19 Dec 2017, Derek Fawcus wrote:

>>      Leaving a "login" simulator on a terminal (quite common).
>
> Well if you include that one, you may want to include the simple brute 
> force testing of passwords against /etc/passwd (before shadow files 
> existed). The login name and real names (direct or reversed) would tend 
> to get at least one hit.

Too easy :-)

Re the simulator, a former boss suggested (when these things were rife) 
that the BEL character could only be outputted by "root", and if you 
didn't hear "ding", well...

I (and likely others) worked around them by deliberating typing a wrong 
password (the kiddies were rarely smart enough to loop a couple of times 
or to test it), and I was glad when I started working there and had my own 
terminal (OK, a shared one in our office).

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] History of exploits - request for authors

[Nemo]

On 18/12/2017, Larry McVoy <lm at mcvoy.com> wrote (in part):
[...]
> https://www.linux.com/news/linux-kernel-development-process-thwarts-subversion-attempt
>
> I take umbrage at the reporting there, they said it was many eyes (the open
> source mantra) that found it, that's bullshit, it was my eyes that found it.

Yea, many eyes simply just glaze over.  (OT but remember Feynman and
the school texts.)

N.

[TUHS] History of exploits - request for authors

[Dave Horsfall]

On Tue, 19 Dec 2017, Ron Natalie wrote:

> Hence the CTL-ALT-DEL log in feature of NT (and later windows).  I 
> remember when the beta NTs came out and I loaded up countless floppies 
> to see the Windows NT "Preliminary" logo come up and then a pop up 
> telling me to type CTL-ALT-DEL to log in.

First time I had to use NT at work (our little company got taken over by 
them and they chucked our Xterms out) I commented "Wow; it comes with its 
own Blue Screen of Death!" - I didn't make many friends amongst the M$ 
lusers there.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] History of exploits - request for authors

[Arrigo Triulzi]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 723 bytes --]

On 19 Dec 2017, at 02:25, Larry McVoy <lm at mcvoy.com> wrote:
> So the only one I was involved in was the CVS hack to the Linux kernel
> source tree.  This was back in the early 2000's and the kernel used
> my SCM system, BitKeeper, but there were people who didn't like the 
> license.  We built an exporter that exported the history to CVS (it
> was a pretty nice exporter, on a per file basis it would find the 
> longest path through a DAG and export that since CVS was straight
> line, not a DAG.)

Personally I believe it would make a fine historical article for the next issue (17 is out now with 34C3).

Would you be willing to write it up? With enough articles we might even pull a “history issue”!

Arrigo

[TUHS] History of exploits - request for authors

[Arrigo Triulzi]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1408 bytes --]

On 19 Dec 2017, at 21:17, Derek Fawcus <dfawcus+lists-tuhs at employees.org> wrote:
> 
> On Tue, Dec 19, 2017 at 12:08:21PM +1100, Dave Horsfall wrote:
>> 
>>     Leaving a "login" simulator on a terminal (quite common).
> 
> Well if you include that one, you may want to include the simple
> brute force testing of passwords against /etc/passwd
> (before shadow files existed). The login name and real names
> (direct or reversed) would tend to get at least one hit.

Well, we all ran Alec’s crack for fun & profit (and some to land themselves in trouble)… I think that doesn’t really qualify as a hack per-se, just a technique which used to work easily and now requires a little bit more computing power (OK, a lot more as the hashing of passwords has become rather more serious).

Personally I feel that if we go down the password route then, besides the “easy” brute-forcing of old /etc/passwd files, we have to include the LANMAN password hashes but, again, of historical interest definitely but not sure it can be turned into an article unless someone manages to write it all the way to the latest oopsies like Linux’s systemd and usernames starting with a digit or Apple’s 10.13 “be root with a simple Enter”. I guess one could write it from the point of view of looking at the bad decisions, their implications and the bugs which made even bad decisions look almost good.

Arrigo