just in case you missed it

foodog plug-discuss@lists.PLUG.phoenix.az.us
Wed, 09 May 2001 01:14:15 -0700 

I'm not sleepy, so I'll jump in here for a bit.  I don't believe having
a rooted Windows box on your network is in any way preferable to a
rooted Linux box. I consider compromised Windows more
insideous/dangerous since it's designed to be a black box that you can't
look inside of.  As long as the dialogue boxes with their "OK" buttons
show up, it tends to appear healthy.

#include <obligatory jab about crashes and BSOD perceived as routine
operation>

Tom Bradford wrote:
> 
> KevinO wrote:
> > Even a puny Windows box can be made into an attack machine once you
> > 'own' it.
> 
> But the method by which j00 0wN a windows box is generally a cooperative
> one, where you're relying on user ignorance to perform the attack for
> you.  In the case of a server, the cooperative element is incredibly
> reduced (though not necessarily eliminated), because there typically is
> no local user doing stupid things.  Organizationally, these types of
> attacks can be controlled relatively easily, without having to patch
> many boxen.

If you mean the total number of abused Windows boxes, I'd agree that you
rely on user ignorance.  There are plenty of users who'll click on
anything that might produce dancing hamsters or pr0n.

When I think of Windows being owned, the user's cooperation ends after
the box is powered on.  The parade of IIS exploits, for example, require
no user intervention.  You're talking about "Georgi Guninsky" sploits,
I'm thinking Eeye, L0pht, Razor,  RainForestPuppy remote server hacks.

In the IIS unicode exploit (the one the MS corporate websites tend to
get hacked with, per Attrition.org), one sends the server malformed HTTP
requests that get executed as commands issued as Administrator.  You can
ultimately do anything you can accomplish at the console with a tiny bit
of effort.  Modify web pages, have it FTP you the SAM database, install
a netcat listener so you can telnet to it, maybe a nice secure tunnel
through the firewall, install VNC, BO, SubSeven, SMS.  NT even has it's
own rootkit under development at rootkit.org.

You could choose to use the ASP buffer overflow to accomplish everything
listed above.  Now, with any flavor of Win2k and IIS 5.0, one uses the
network print service.  Since IIS 5.0 is written with crashes and
spontaneous reboots in mind, it automagically restarts itself to help
hide the crime scene.

OK.  So IIS (for example) has let someone in to set up housekeeping on
the server, now what?  Well, they can sniff traffic (L0phtcrack again),
they can perform man-in-the-middle attacks using SMBRelay (harvest
username, data, etc), they can use it as a DOS zombie.  The sky's the
limit.  The only question is "what do you want to do" (today)?

> 
> > Windows gives one much less control over what is and what is not
> > installed. (Ever try to remove the web browser? Uninstall ActiveX or
> > Outlook Express ?)
> 
> Again, if we're talking about a server, where those programs aren't even
> being used, this concern isn't all that much of an issue.  The issues

Although nobody is typically sitting at the console interacting with
Clippy, the server still has Outlook, IE, etc. etc. *installed*.  Any
dorky piece of code that will execute on a workstation can generally be
relied on to do the same thing on a Windows server.  

> with Outlook, IE, and ActiveX installing worms and trojans are well
> known at this point and are almost exclusively the ones cited by Linux
> agents of FUD in making their OS look like the better one in the
> security race.  Granted, the holes in Windows dealing with executable
> content are many, but they're easily classified.  You can narrow the
> culprits to one of two programs in those cases.  The holes in various
> Linux services/applications are more numerous, and worse, they're much
> more diverse in their nature.

Sure, Windows is chock full of poorly conceived services and sloppy
code.  The big problem is that the system admin just has to smile and
hope it gets better.  How are they going to fix it themselves?  Fire up
SoftICE and patch the OS?  Take the server off the internet until BillCo
issues a patch?  My perception is that they're screwed.  That's not FUD,
that's the fact, Jack ;-)

I *could* choose to bring up a Linux box that makes Windows look like
Fort Knox by comparison - or I can customize every detail and make it as
secure as I know how.  In my mind choice is the big issue.  I choose to
run secure systems when possible.  I choose to use open source tools
whenever possible.  I wouldn't deny that Windows has many legitimate
uses, but "it's better because it's Microsoft" doesn't fly.

> 
> BTW, there are third party programs that will remove IE and Outlook
> express.  ActiveX you can't do anything about because, along with DCOM,
> it's the next link in the mutation chain of Clipboard->DDE->OLE->COM.
> 
> --
> Tom Bradford --- The dbXML Project --- http://www.dbxml.org/
> We store your XML data a hell of a lot better than /dev/null
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

TTFN,
Steve