Re: Sysmask security challenge: useful or not?

From: Barton L. Phillips (bartonphillips_at_sbcglobal.net)
Date: 04/22/05


Date: Fri, 22 Apr 2005 21:26:07 GMT

azuredu wrote:
> It is true that tests using ls and cat don't prove anything and are
> useless. However, I don't think you are ready to accept my following
> claim, at least without first testing with ls and cat. It is true that
> I should have put some more warnings somewhere, but nowadays who is
> reading the help pages before typing into the textarea?
>
> I claim that the challenge can be broken only in one of the following
> two cases.
>
> 1. A stupid bug in the sysmask package. I found one in the first day of
> the challenge, which however did not let people get the unreadable
> file; no more is propping up thereafter.
>
> By the way, the bug is not yet fixed in the public site, but will be
> within a few days.
>
> 2. A nasty bug in the kernel, leading to a privilege elevation. Way
> more nasty than the recent ones behind sys_uselib() and sys_futex().
> What is the probability of such a bug?
>
> So sysmask bug put aside, the challenge is hopeless if you don't have a
> privilege elevation which you know how to exploit. All this is well
> explained in the documentation; but who is ready to believe such a
> claim without first tried some ls and cat? And even having tried?
>
> It is true that many utilities are missing in the environment. But the
> first motive is to save place, as everything should go into a cd.
> Anyway I'd better leave it this way, for otherwise people would have
> more useless things to play with and would waste more time.
>
It seems to me the "challenge" would be more interesting if I could
telnet into the system. Doing everything via a web form is not very
informative or interesting. In fact how do I know there is even a system
behind the form. I could do everything in a php script and say it is the
output of a secure system.



Relevant Pages

  • Re: Sysmask security challenge: useful or not?
    ... It is true that tests using ls and cat don't prove anything and are ... A stupid bug in the sysmask package. ... A nasty bug in the kernel, leading to a privilege elevation. ... more useless things to play with and would waste more time. ...
    (comp.os.linux.security)
  • FTV: Melody gives a hunting lesson
    ... The cat looked at the stove for a while, ... they may bring the bug's cadaver into the living room ... Last Thursday night Melody came up from the basement, ... I let out a shriek and the bug took cover behind my ...
    (rec.pets.cats.anecdotes)
  • Re: FTV: Melody gives a hunting lesson
    ... The cat looked at the stove for a while, ... they may bring the bug's cadaver into the living room ... Last Thursday night Melody came up from the basement, ... I let out a shriek and the bug took cover behind my ...
    (rec.pets.cats.anecdotes)
  • Re: kernel BUG at lib/kernel_lock.c:83! - 2.6.19-1.2895.fc6
    ... kernel was tainted and just look at the "actual message", ... I had no reason to create a bugzilla report because, ... provided in my was interested because it appears to be the same bug ... kernels are completely useless around here along with that phony bug report ...
    (Fedora)
  • Re: Delphi QC Top Voted
    ... It would still be useless because it took 1,5 years to get them fixed. ... Keep customers up to date with their bug reports ... > that a patch isn't forthcoming makes any comment on the efficacy of QC. ...
    (borland.public.delphi.non-technical)