A story...
Back in the l0pht days, I ran/configured/maintained the Unix system that was “the L0pht”.
Here are the tricks, and here’s how it was attacked...
1/N
Back in the l0pht days, I ran/configured/maintained the Unix system that was “the L0pht”.
Here are the tricks, and here’s how it was attacked...
1/N
It was an OpenBSD system.
I had a somewhat standing bet, that neither of us had the guts to actually commit to, with Theo DeRaadt: either I did, or did not, have an 0-day against OpenBSD at any given moment.
1 year’s salary on the line.
(We were both pretty much broke then 🤷🏼♂️)
I had a somewhat standing bet, that neither of us had the guts to actually commit to, with Theo DeRaadt: either I did, or did not, have an 0-day against OpenBSD at any given moment.
1 year’s salary on the line.
(We were both pretty much broke then 🤷🏼♂️)
It was a DEC Alpha system.
I figured a little obscurity wouldn’t hurt.
Especially since I was publishing advisories with Intel shell code.
Not a fan of security through obscurity, but any time it’s cheap to move extra work to your opponent...
I figured a little obscurity wouldn’t hurt.
Especially since I was publishing advisories with Intel shell code.
Not a fan of security through obscurity, but any time it’s cheap to move extra work to your opponent...
In addition to stripping out the kernel and user space functionality I changed the number of rounds that DES used for encrypting passwords.
Cryptology-wise I probably weakened DES. However, nation states breaking crypto wasn’t the immediate threat.
Cracking /etc/shadow was...
Cryptology-wise I probably weakened DES. However, nation states breaking crypto wasn’t the immediate threat.
Cracking /etc/shadow was...
If you connected to port 25/TCP (SMTP), your client received telnet option negotiations 🙄.
This was pre-netcat era (BTW, I wrote the crappy telnet option negotiation code that is still in nc(1)).
If your client responded... “game on”.
This was pre-netcat era (BTW, I wrote the crappy telnet option negotiation code that is still in nc(1)).
If your client responded... “game on”.
All of the shells {sh,bash,csh,tcsh,zsh,...} were custom backdoored. It was a labor of... it was laborious.
If you want to see how nasty it can be to backdoor something, dear lord, look at the hell-code that is your unix shell.
Shell command parsing is a mess.
On that topic...
If you want to see how nasty it can be to backdoor something, dear lord, look at the hell-code that is your unix shell.
Shell command parsing is a mess.
On that topic...
In addition to logging everything that the l0pht folks and our guests did on the system, the shells periodically made calls to
getpeername(2)
On their file descriptors.
If the call was successful: game on. I knew it was a network connection instead of the expected IO.
getpeername(2)
On their file descriptors.
If the call was successful: game on. I knew it was a network connection instead of the expected IO.
I did a lot of other tricks too...
However, there was a person who I think was from South America (Argentina).
They were really good. *Really* good.
And.. this person seemed to have an infinite amount of time to try to figure out and compromise the system.
However, there was a person who I think was from South America (Argentina).
They were really good. *Really* good.
And.. this person seemed to have an infinite amount of time to try to figure out and compromise the system.
User space, kernel space, Alpha architecture... it became a game between the two of us.
They were above my level technically.
So... I cheated 😏
They were above my level technically.
So... I cheated 😏
I caught them on the system trying to elevate their privileges, and broke into a conversation...
I congratulated them.
And immediately, and without being asked, I gave them the root password.
I told them if anything happened to the system I would assume it was their fault. 😈
I congratulated them.
And immediately, and without being asked, I gave them the root password.
I told them if anything happened to the system I would assume it was their fault. 😈
For a few months, they defended the heck out of that system 😅
