Loading 3 Votes - +

Operating System Exploits of 2004

Nothing is perfect … but some things are further from perfect than others. Computer software, particularly operating systems, are amongst the most complex systems created by man. How does one analyze and troubleshoot a complicated system of components without any physical properties? To further exacerbate the situation, consumers demand ubiquity of operation from the same code across a variety of architectures. Thus, contemporary programmers are faced with forcing the same outcome from processors that range in variance from representing number formats differently, to handling stack and memory implementations differently, and even atomicty of OPcode timing and hardware clockrates differently. Add to this situation a variety of hardware, technophobic consumer demand for simplicity through "wizard" configurations, and a need to support legacy software. Software companies are forced to choose a narrow path between ideal product development and market demands for output against competition.1

These factors do not solely account for today’s software flaws. Modern programming practices themselves have much to do with it. When lines of code number in the hundreds of millions, it is imperative to divide the programming tasks across development teams. While good project management and such tools like data flow diagrams can certainly alleviate component integration, the system is still a collaboration of human efforts and bound to incorporate errors from the sheer scale. The nature of relying upon ever changing libraries or the operational trust involved with a layered approach forces programmers into understanding their code probably will not operate exactly as planned should a dependency change down the road. As such, a more lax attitude is adopted with blame shifting towards another’s code following the excuse – "it worked before."

Lastly, code may be fundamentally sound and devoid of problems at the source code level. But unless the compiler, assembler, and linker are absolutely reliable, all will be for naught at the final stage. As algorithms evolve, the compiler may not necessarily construct machine code as the original programmer intended. Variances will be introduced through processor optimizations, memory optimizations and lexical algorithms. Such variances may add points of failure in device drivers, potential overflows in parameter passing, dependences on memory locations, or mistakenly introduce timing issues into operations that were intended to be atomic. These problems are relatively easy to tackle on the academic side of the tracks but next to impossible to eliminate with the enormous projects of the private sector.

Hence, modern operating systems ship in an imperfect state. At the moment of production, the system was more than likely the "best" possible version prior to hackers discovering nuances in the code. The Internet’s growing sphere of influence accelerates the propagation of these flaws from discovery to announcement to exploitation. As hacking "kits" abound, the timeline from discovery to exploitation has shortened dramatically to the point a system is likely to be compromised faster than it can be secured. Ongoing analysis by the SANS Internet Storm Center report that as of August 2004, the average Windows based computer stands to survive approximately 20 minutes before succumbing to vulnerabilities (see graphic below from SANS webpage). Global network insecurity will continue to grow as networks grow in speed and users continue to use unpatched, legacy systems.


’’’Figure 1.‘’’ Survival Time History.^^^“Survival Time History.” [on-line] (accessed 27AUG04) available from http://isc.sans.org/survivalhistory.php^^^

The following links contain vulnerability scans produced by Nessus2 against operating systems in various states of configuration. This is intended to reveal the "out of box" vulnerabilities a modern computer is exposing to the Internet. A scan was run against each operating system during the installation phase (after the networking stack was in place) and again after booting into the live system. Whenever possible, the configurations are in as pure of a default state as possible. Most workstation installations consist merely of clicking "NEXT" until completion. With the server installations, the most likely server daemons were selected to show their default vulnerabilities. Following the installation, no settings are made within the operating system unless noted below. As a control, each operating system is installed into a VMware Virtual Workstation to provide a common hardware platform. Furthermore, these installations were performed on a closed network to avoid taint from a third party exploitation.

It should be noted that these scans do not reveal locally exploitable or user triggered vulnerabilities. For instance, race conditions within the system that can be exploited to gain local ROOT access will not be tested. Nor will bugs that require a user to open a malicious webpage or email be evaluated. These tests are designed to reveal what exploits are remotely available to malcontents to compromise a computer from afar without any user involvement.

Windows 2000 Scans: There are intriguing elements to examine with the W2K installs. During the installation phase (and remaining afterwards), nmap3 revealed port 21 [FTP] as active. An FTP client will successfully connect to the computer and receive a 421 error code regarding "Service not available, remote server has closed connection." Furthermore, the operating system detection routine could not match the TCP/IP stack used during the installation to any known fingerprints. There is the possibility that the Microsoft installer utilizes a different network stack than the operating system that is being installed. (NOTE: For the Server editions of Windows, the FTP, DNS, DHCP, SNMP and WINS services were added to the default list as they are commonly used services).

Linux Scans: For Linux installations, the FULL install option was selected for all distributions. This will produce a common benchmark for "total system" out-of-box vulnerabilities present in each release. Scans against Live CD style systems are made after booting is complete but prior to any system log in.

Apple Scans: The test platform did not support OSX versions prior to 10.3.3 negating the tests of earlier releases. To validate Panther’s out-of-box capability, the firewall was left off and all built-in services were enabled (personal file sharing, windows sharing, personal web sharing, remote login, FTP, apple remote desktop, remote apple events, and printer sharing).

UNIX Scans: NetBSD installs by default with all services off, therefore, INETD was modified to enable every service in their default state to get a picture of the system’s security. No additional services were added or removed, the "#" comment delimiter was simply removed from the /etc/inetd.conf file from all non-IPV6, built-in services. FreeBSD’s installation process includes a section to enable services in INETD, therefore, all "out-of-box" available services were enabled by the installer for the security check. An additional install option was for a default security level of moderate.

1 This article can also be found on Matthew Vea’s homepage as "Default Operating System Exploits; [on-line] (accessed 01DEC06) available from http://www.vnutz.com/content/exploit_in_box

2 Nessus Scanner [on-line] (accessed 27AUG04) available from http://www.nessus.org

3 NMAP [on-line] (accessed 27AUG04) available from http://www.insecure.org

Similarly tagged OmniNerd content:

Information This article was edited after publication by the author on 17 Mar 2009. View changes.
Thread parent sort order:
Thread verbosity:
Interpret the title as you like. :-) Matt, interesting data. I think even more interesting is the amount of time it must have taken you to compile these results. I’m curious, how long did it take you? I’m hoping you add some Linux and Mac OS X results to this as well. I’m interested to see if these two live up to all the security hype or if they’re just as bad as Windows.
0 Votes  - +
OS X Security by markmcb
There’s some interesting discussion going on at Slashdot about OS X security (http://apple.slashdot.org/apple/04/09/02/0057211.shtml?tid=179&tid=172&tid=3). I haven’t done any out of the box scans with Nessus, but there are several Mac users that come and go in the coffee shop that I frequent. I often log into the coffee shop’s router (which is using the default password… asking to be hacked) and get the IPs of everyone else on the LAN. It’s amazing how difficult it is to get much info about the OS X laptops and how easy it is to get it from the Windows users using programs like nmap and the like. Here’s two examples. The first is a computer running OS X, the second is Windows. Both are from random computers in the coffee shop. Notice the open port on Windows and nothing on OS X, and the fact that it couldn’t guess the Mac’s OS, but had no problem with Windows: OS X: Host appears to be up … good. Initiating SYN Stealth Scan against The SYN Stealth Scan took 77 seconds to scan 1601 ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1601 scanned ports on are: closed Too many fingerprints match this host for me to give an accurate OS guess Windows: Host appears to be up … good. Initiating SYN Stealth Scan against Interesting ports on: The SYN Stealth Scan took 61 seconds to scan 1601 ports. For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled (The 1595 ports scanned but not shown below are in state: closed) Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 641/tcp open unknown 1025/tcp open NFS-or-IIS 5000/tcp open UPnP Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP TCP Sequence Prediction: Class=random positive increments Difficulty=1650 (Medium) IPID Sequence Generation: Incremental
0 Votes  - +
More Rest Results by markmcb
I posted more test results that Matt gathered in his article. They include Linux and Apple’s OS X 10.3.
0 Votes  - +
More Data To Come by VnutZ
Indeed, I have ISO images for many Linux distros to test. There’ll be a delay before getting those results because in the course of wiping my PowerBook clean for 10.3.x tests, I also wiped out all my scanning tools. Doh!
0 Votes  - +
New Stuff by VnutZ
Check http://www.geocities.com/mvea/exploit_in_box.htm for recent updates to mirror on OmniNerd. FreeBSD 5.2 AirPort Express Base Station Knoppix Linux FedoraCore 2 (the linux formerly known as RedHat)

More than two years later, the FTP server that is "just on" with Windows systems (as early as installation) still bothers me. In my curiousity, I looked again for what a 421 error code is and came across this [below]. Now, I discount "service not available" or there would be no point in having an FTP server that responds with valid protocol. I don’t believe the "user limit reached" would apply either. The most valid error is the third "you are not authorized to make the connection" which makes me wonder … how does one authorize the connection when a login is never prompted for? Is there a port knocking procedure? Perhaps a special client using "slightly" unorthodox protocols? </me adjusts tin foil hat> It seems quite the backdoor.

FTP Error Codes

  • Error 421 Service not available, closing control connection.
  • Error 421 User limit reached
  • Error 421 You are not authorized to make the connection
  • Error 421 Max connections reached
  • Error 421 Max connections exceeded

Possible Solutions: You may receive a 421 error if the FTP server you are connected to limits the total number of connections available or limits the connections available to one user.

Share & Socialize

What is OmniNerd?

Omninerd_icon Welcome! OmniNerd's content is generated by nerds like you. Learn more.

Voting Booth

The most important factor in buying my next car is?

7 votes, 1 comment