Overview

Computer security is a precarious business both from a product development and administrative standpoint. Operating system vendors are forced to constantly patch their software to keep consumers protected from the latest digital threats. But which operating systems are the most secure? A recent report by Symantec hints that Windows currently presents fewer security holes than its commercial competitors.¹ To that, a typical consultant would respond "well, that depends," as security auditors generally take such statements with a grain of salt. It depends on the configurations of the hosts, the breadth of the included binaries and the scope of what "commercial competitors" entails. Differing opinions on this interpretation lead to different conclusions. SecurityFocus, for instance, shows that various overall vulnerabilities surged in 2006 while ISS (Internet Security Systems) reports that operating system specific exploits declined.^2,3

The summarized coverage of 2006 vulnerabilities by SANS showed the most prevalent attack vectors were not directly against the operating systems themselves.⁴ However, this article approaches the operating system as an entity in and of itself for analysis of only the vulnerabilities of core features. As such, vulnerability scans were conducted against 2006’s flagship operating systems in various configurations to determine weakness from the moment of installation throughout the patching procedure. From Microsoft, testing included Windows XP, Server 2003 and Vista Ultimate. Examinations against Apple included Mac OS9, OSX Tiger and OSX Tiger server.⁵ Augmenting Apple’s UNIX representation, security tests were also performed on FreeBSD 6.2 and Solaris 10. Rounding up the market share, Linux security testing included Fedora Core 6, Slackware 11, SuSE Enterprise 10 and Ubuntu 6.10. Before delving into the specifics of the vulnerabilities, it is helpful to understand the security scene of 2006.

Hacking and Zero Day

The nature of malicious computer hacking has changed over the years, but one variable remains somewhat fixed in terms of availability and prediction – attack and penetration. Passive attacks have almost completely changed their genre while active attacking relies on a simple basic premise: the host computer is vulnerable no matter how security conscious the end user is. As the demand for underground, professional hacking rises, the need to build and maintain a network of zombie hosts requires more than relying on users to infect their system. Active attacks are a necessity for this Internet subculture and require close attention to the latest, and most longstanding, remotely accessible vectors.

Which leads into Zero Day bug disclosure, a hot topic in security circles.⁶ Many security researchers argue that disclosing Zero Day vulnerabilities forces vendors to hasten patching, thereby shortening exposure time. Vendors counter with the argument that immediate disclosure without patch development time creates an exposure window through which consumers are needlessly put at risk. The term Zero Day Exploit is certainly real, meaning that almost as soon as a vulnerability is exposed, the exploit code is released into the wild. Tools like Metasploit make automating such tasks even easier.⁷ It is almost too obvious how 2006 became the year such subversive techniques became so widespread.

Evolution of 2006

Hacking into computers is a practice that predates the Internet. The past decade of interconnectivity between the masses has merely hastened the pace. Furthermore, during the Internet’s infancy, connected hosts were limited in number and tended to reside in the realm of academics, science or computer professionals. Even with modem-only access through such relics as Prodigy and AOL, Internet growth boomed in the late 90s. Today’s ubiquitous broadband and common network-ready appliances has further accelerated growth. All of these new hosts create a remarkably large sandbox for hackers to toy with and hide in.

Script kiddies were (and still are) an embarrassment to the hacking community, but the "anybody can hack" tools used by script kiddies pushed the development of more powerful, all-encompassing and fully automated hacking tools. Countless hackers and miscreants were using automated tools to constantly probe and penetrate the millions of computers left online 24/7. By 2004, the average unprotected computer was compromised in less than a minute, sometimes as quickly as twenty seconds. Very often just after a fresh installation, a host can be compromised by an automated tool before the real user even had a chance to log in for the first time.⁸ Rootkits were the buzzword of 2005 despite their long history. Sony BMG’s ill-famed rootkit fiasco from their DRM protected audio CDs brought the term into the general public’s eye. The very nature of a rootkit to evade detection and remain dormant until needed essentially drove the software behind the zombie networks of 2006.⁹

In 2006, the usual menagerie of vulnerabilities and attacks were ever present. E-mail viruses, websites hosting malicious scripts, credentials phishing and network worms continued to make their rounds. An enterprising niche, however, adapted concepts from every realm of software maliciousness to add a new twist to an old practice. Where automated tools left off in the past, professional robot networks (aka "bot-nets") picked up the slack. The route to infection followed one of the typical, aforementioned mainstream attack vectors. Once captured, the code utilized rootkit techniques to remain hidden from the more sophisticated and layered software packages that finally became more commonplace on home networks. Herein lies the twist. In the past, compromised computers were typically used as zombie gateways through which focused attacks were launched anonymously against targets for private information, corporate secrets, etc. They were also used as relay machines for e-mail spamming to keep the delivery source dynamic in an effort to thwart spam detection. In 2006, the compromised hosts became a network of distributed computers with downloadable controls to make it act as a single, massive attack system.¹⁰ These bot-net services were offered for sale, typically for launching monstrous "Denial of Service" attacks or to perform advanced penetrations where each attack comes from a different network segment to facilitate NIDS evasion.¹¹

Testing for Remote Exploits

The exploits of 2006 were made possible mostly through remote vulnerabilities. A large number of systems were, of course, compromised through the actions of their users. This study will examine the weaknesses inherent in the operating systems themselves by focusing merely on the remotely exploitable attack vectors. Removing the user actions from the equation reveal which operating systems are the most susceptible to attacks.

Operating System Share of 2006

Estimated Operating System market share for 2006.

Availability is a critical factor in directing a hacker’s effort. When one operating system dominates the pool, it presents a more lucrative target because exploit code stands a better chance of succeeding. Measuring the market share of operating system usage is a difficult prospect and the statistics vary widely depending on the source. Various techniques for gauging operating system share include:

• sales statistics
• web site log analysis
• traffic analysis
• active network mapping

Microsoft Windows constitutes the bulk of world’s operating systems with nearly 90% of the market while Apple’s OS X and Linus Torvald’s Linux share the remaining 10% with a smearing of alternative operating systems.^12,13 These numbers represent all classes of network hosts, both workstations and servers alike, and are composited from rough 2006 estimates. Regardless of their accuracy, it’s very easy to see why Microsoft products are targeted; an automated attack on it has a larger volume of targets through which to succeed.

Testing Procedure

Each operating system was scanned several times to determine risk at various stages of deployment. First, a vulnerability scan was performed during the installation phase of the operating system. While the operating environment present may not represent the binaries being installed, a successful attack during installation could subvert the operating system prior to its first boot. An second scan was made following the initial boot, to portray the default vulnerabilities in an "as shipped" condition. Additional scans were made on an as needed basis to demonstrate the weaknesses of vendor released patch versions.

Many operating systems ship with a variety of services, servers and daemons enabled by default. To level the playing field, commonly used services were enabled when prompted by the installer or following the initial reboot. Services were chosen in terms of those commonly found on the Internet to provide actual functionality (like POP3, FTP or HTTP). Additional operating system services were enabled to determine the degree of vulnerability they pose (like login, uucp or finger) even though they are not commonly used on production systems. No intentional configurations were made to any server. This ensures service binaries will be tested in an "as shipped" default configuration.

Tests were based solely on on remotely accessible, active attack vectors against non-configured, default services. As shown in previous years, those few seconds between enabling a server and applying a configuration may be all that is necessary for an attacker to take ownership of the host. As configurations are dynamic and different per application, the testing of various modules was not performed. For example, a vanilla Apache installation may check out fine during these tests but it may become vulnerable once the mod-ssl package or any other package/configuration is applied to extend its functionality. Furthermore, application testing was not performed. Holes were not examined in the browsers or commonly used document readers. Attacks of those nature are passive and rely on a user "doing something" to perform the infection. This study in operating system vulnerabilities limits the scope to remotely accessible servers in default configurations only.

Nmap

The Network Mapper, nmap, was used to test for completeness.¹⁴ By comparing the quick output produced by nmap against the detected services of Nessus, it can be concluded whether or not all remotely accessible weaknesses were scanned. Nmap is a significantly powerful tool in its own right, however, for these sandbox tests, the IP address of the target was already known. Therefore, nmap’s true penetrable capabilities were not required.

Nmap version 4.20 was utilized for the scanning by settings flags for no host ping, connection via three-way handshake, well known ports, operating system fingerprinting and service identification.¹⁵ As most operating systems do not feature any layered security during these preliminary phases, it was not necessary to attempt firewall or network intrusion device evasion tricks. Scan results will not include ports identified as filtered. The following command was issued to scan each system:

nmap -P0 -sT -F -O -A 192.168.1.5

Nessus

In 1998, Renaud Deraison presented the Internet community with Nessus. He designed Nessus to be a publicly extensible, remote assessment tool. The freely available NASL plug-in scripting language enabled Nessus to quickly keep pace with the latest vulnerabilities and therefore offered a direct challenge to the far more expensive, commercial packages.¹⁶

Nessus version 3.0.4 build 2G142 was used for conducting vulnerability scans against the various operating systems. On January 1, 2007, the Nessus engine was updated with every plug-in available in order to test operating systems against a common set of known vulnerabilities from 2006.

The server was configured with the following changes from Nessus’ "default scan policy":

• enabled Nessus SNMP scanner
• enabled SYN scan
• enabled thorough tests with verbosity and false alarm avoidance
• enabled ARP ping
• enabled ICMP ping
• enabled application UDP ping
• enabled ALL plug-ins
• disabled "safe checks"

Microsoft Windows XP

Originally codenamed Whistler, Windows XP was unveiled on the 25th of October, 2001. The operating system shipped on a single CDROM and raised the bar above previous system requirements; recommended machines needed a 300Mhz CPU with 128MB of RAM and 1.5GB of hard drive space for a successful installation.¹⁷ The installer automatically enables the network interface just after the administrator password is defined. Nmap was able to identify the system as Windows and Nessus further identified UDP port 137 open, although no vulnerabilities to the system were present.¹⁸

PORT     STATE   SERVICE     VERSION
135/tcp  open    msrpc       Microsoft Windows RPC
139/tcp  open    netbios-ssn 
1025/tcp open    msrpc       Microsoft Windows RPC

The latest service pack can be installed in many ways – using a factory Windows XP SP2 CDROM, slipstreaming the service pack into a custom rolled CDROM or simply running the Microsoft downloadable service pack executable.¹⁹ The latter method will be used for these tests, as the original edition represents the raw factory release. Immediately following reboot, the system was scanned again before applying the service pack.²⁰

PORT     STATE   SERVICE     VERSION
135/tcp  open    msrpc        Microsoft Windows RPC
139/tcp  open    netbios-ssn 
445/tcp  open    microsoft-ds Microsoft Windows XP microsoft-ds
1026/tcp open    msrpc        Microsoft Windows RPC
5000/tcp open    upnp         Microsoft Windows UPnP

The Nmap scan was followed by a Nessus vulnerability scan which was able to identify several flaws in Windows XP of a serious nature. There were many features that permitted remote service enumeration of the host, but, while good for system analysis, these do not allow system subversion. On the other hand, XP was vulnerable to a variety of remote attack vectors allowing remote code execution.

The Nessus scan results returned:

• The Messenger service is vulnerable to a buffer overrun where a hacker can execute code with local system privileges.
• The Task Scheduler is vulnerable to executing arbitrary code remotely.
• UPnP is enabled and responsive by default which carries a host of implications in itself.
• The NetBIOS name service suffers from a memory disclosure weakness.
• Arbitrary code can be executed through malformed NTLM packets to a buggy ASN.1 library.
• The LSASS service has a flaw allowing an attacker to execute code with SYSTEM privileges.
• The SMB service allows login via NULL session.
• The Server service is subject to a buffer overflow allowing arbitrary code to be executed with SYSTEM privileges.
• The SMB service is susceptible to denial of service that remotely crashes the system.

With Microsoft’s Service Pack 2 installed, Nmap discovered that every port was filtered due to the default firewall now in place. Likewise, Nessus was unable to identify any risks. Despite the firewall, the XP system responded to UDP requests to port 137 to NBTscan requests. To test the binary patchwork, the firewall was intentionally disabled to determine what risks are present in the event of firewall failure or evasion.²¹ Service Pack 2 was released in August 2004, meaning there are still eighteen months of patches since the last major Microsoft release.

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds

The Nessus scan results returned:

• The Server service is subject to a buffer overflow allowing arbitrary code to be executed with SYSTEM privileges.

After testing Service Pack 2, one more round of patches were applied using Windows Update. Each patch was inspected to confirm only those issued from 2006 and earlier were applied to the system. Only patches from the critical selection were installed while ignoring functionality upgrades. Upon rebooting, the patched Windows XP system did not exhibit any remotely accessible vulnerabilities (even with the firewall disabled).²²

Microsoft Server 2003

Windows Server 2003 has 50 million lines of code with a lineage dating back to the late 1980s.²³ The NT project aimed to move Microsoft from an OS/2 based platform into a pure environment for 32bit Windows applications. Server 2003 represents an "industrial strength" genesis of Microsoft’s efforts to converge the many variants of Windows. Officially released in April of 2003, Windows Server 2003 ships in a variety of different editions.^24,25

For vulnerability testing, Microsoft Server 2003 Enterprise Edition was subjected to Nmap and Nessus scans. Server 2003 enables the network device shortly after the first dialog boxes are configured during setup. Nmap identified the system only as a Windows operating system but was unable to isolate an exact fingerprint match. Nessus further identified that port 137 listened for UDP packets to the default NetBIOS-NS service and identified one remote vulnerability.²⁶

PORT     STATE SERVICE     VERSION
135/tcp  open  msrpc       Microsoft Windows RPC
139/tcp  open  netbios-ssn
1025/tcp open  msrpc       Microsoft Windows RPC

The Nessus scan results returned:

• The NetBIOS name service leaks actual memory contents when responding to malformed packets.

Immediately after rebooting the system for the first time, nmap identified additional services running on Windows Server 2003. The operating system fingerprint was still identifiable only as a Windows operating system to Nmap. Nessus identified three critical vulnerabilities for remote exploitation.²⁷

PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows 2003 microsoft-ds
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC

The Nessus scan results returned:

• The ASN.1 library is vulnerable to arbitrary code execution when fed carefully crafted packets.
• Arbitrary code may be executed with SYSTEM privileges via the LSASS service’s DsRolerUpgradeDownlevelServer function.
• A heap overflow in the Server service allows arbitrary code execution and also allows an attacker to capture segments of the host memory space.

After logging into Windows Server 2003, the server was assigned roles. Unlike the UNIX systems which required simply enabling the application, Windows Server 2003 required configuring via built-in wizards. To maintain a sense of neutrality for configuration, servers were setup by simply clicking "NEXT" whenever possible. The configuration of the file server required selecting a folder which resulted in sharing the "My Documents" folder from the Administrator’s account. While enabling IIS, the FrontPage Server Extensions and ASP.NET options were also selected. The mail server only required a name for its configuration, for which omninerd.com was provided. Remote Access was configured to permit Dial-Up or VPN access. While configuring the Active Directory domain, the controller was set up for a new domain in a new forest and given the name omninerd.com. The wizard indicated that Terminal Services were automatically reconfigured to only allow administrative logins. The DNS server offered an option of forward lookup zones, forward and reverse lookup zones and root hints only. The forward lookup zone option was selected for simplicity. Configuration of the DHCP server required, at a minimum, defining an IP scope for which 10.0.0.0/255 was chosen. The Terminal Services, Streaming Media Server and WINS were installed without special configuration.²⁸

PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          Microsoft ESMTP 6.0.3790.0
42/tcp   open  wins          Microsoft Windows Wins
53/tcp   open  domain        Microsoft DNS
80/tcp   open  http          Microsoft IIS webserver 6.0
88/tcp   open  kerberos-sec  Microsoft Windows kerberos-sec
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
389/tcp  open  ldap          Microsoft LDAP server
445/tcp  open  microsoft-ds  Microsoft Windows 2003 microsoft-ds
464/tcp  open  kpasswd5?
554/tcp  open  rtsp          Microsoft Windows Media Server 9.0.0.3372
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1025/tcp open  msrpc         Microsoft Windows RPC
1026/tcp open  msrpc         Microsoft Windows RPC
1040/tcp open  netsaint?
1067/tcp open  msrpc         Microsoft Windows RPC
1212/tcp open  msrpc         Microsoft Windows RPC
1723/tcp open  pptp?
1755/tcp open  wms?
3268/tcp open  ldap          Microsoft LDAP server
3269/tcp open  tcpwrapped
3389/tcp open  microsoft-rdp Microsoft Terminal Service

The Nessus scan results returned:

• The ESMTP MAIL Service, Version: 6.0.3790.0 allows attackers to execute arbitrary commands with privileges equal to the mail server process.
• The WINS server responds to a crafted packet by executing arbitrary code.
• The DNS server is vulnerable to Cache Snooping attacks which allow a third party to ascertain what hosts have recently been resolved.²⁹
• A man in the middle attack is possible against the Terminal Services Remote Desktop Server.

NOTE: All of the previously noted vulnerabilities following installation are still present.

In March of 2005, Service Pack 1 was released for Windows Server 2003. The service pack constitutes a roll-up of hotfixes along with a variety of operating system enhancements. Notable features include the Windows Firewall from XP’s Service Pack 2 and a PSSU (Post Security Setup Update) to secure the system during the transition period while patches are being applied.³⁰ After installing the service pack, Nmap identified every port as before plus one additional RPC port. Nmap also identified the TCP/IP fingerprint as matching more systems than just Windows OS.³¹ Nessus identified only three remotely accessible issues, but they were rehashes of earlier vulnerabilities.³²

PORT     STATE SERVICE       VERSION
1027/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

The Nessus scan results returned:

• The DNS server is vulnerable to Cache Snooping attacks which allow a third party to ascertain what hosts have recently been resolved.
• A man in the middle attack is possible against the Terminal Services Remote Desktop Server.
• A heap overflow in the Server service allows arbitrary code execution and also allows an attacker to capture segments of the host memory space.

Twenty-one months of patches lie between the service pack’s release and the close of 2006. The system was updated one more time using Windows Update to apply all the critical updates dated from 2005 and 2006. Upon rebooting, Nmap found no new open ports other than those identified in previous scans. A Nessus scan revealed that only the DNS cache snooping and Terminal Service man-in-the-middle vulnerabilities still remain.³³

Microsoft Windows Vista Ultimate

Vista began life in 2001 as a project named Longhorn that was scheduled for release in 2003. Plagued by feature creep, Longhorn became quagmired in development until the project "restarted" using the Server 2003 codebase. In its new incarnation, Longhorn aimed to improve Windows security following years of public distaste with exploitation.³⁴ Feature creep again began to plague Longhorn whereupon many of the highly touted features were dropped in order to meet release dates.³⁵

Officially released in November of 2006, Vista was made available to manufacturers and MSDN subscribers. In January 2007, the public had access to the many versions of Vista.^36,37 During installation, the network card was activated, however, the TCP/IP stack was protected by a filter. The only way to detect Vista’s presence was by examining the ARP tables to identify an IP address was in use by the test machine. In order to identify any Vista services present, it was necessary to disable the default firewall after booting into the system for the first time. After disabling Vista’s firewall, Nmap was able to identify three open ports for Windows networking and correctly fingerprinted the system Windows Vista.

PORT    STATE SERVICE     VERSION
135/tcp open  msrpc       Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  netbios-ssn

With the firewall disabled, Nessus was able to query the system for its exact time via the ICMP timestamp request. Null sessions are enabled by default allowing for SMB login. No further remote vulnerabilities presented themselves.³⁸ Using Windows Update, several patches were available, however, all were dated in 2007 indicating the shipped version of Vista is the most recent edition at the close of 2006.

Apple Mac OS Classic

Apple released OS 9 in October of 1999.³⁹ The software came standard with Apple computers or on a single CDROM. During installation, the setup program enabled the network adapters immediately. Nmap identified the installer as running a variant of Apple Mac OS 7.X, 8.X or 9.X.⁴⁰ A Nessus scan against the installation was not performed as not a single port was found open. Following the first reboot, the system prompted to enable file sharing and additionally activated the wireless card. While adhering to the principle of not configuring the services, every available remote connection was enabled over TCP/IP to include file sharing and personal websharing. Nmap identified the system as Mac OS even though the actual fingerprint included the string i386-apple-darwin8.8.1. Nessus identified several weaknesses as well.⁴¹

PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apple Personal Websharing httpd
427/tcp open  svrloc?
548/tcp open  afpovertcp?

The Nessus scan results returned:

• The TCP/IP stack responds to packets from a multicast address (known as a spank attack) which allows Denial of Service through network saturation or stealth scans.⁴²
• The web server tested positive for an Oracle9i crash through an incorrectly crafted, long URL.

Version 9.2.2 was the last patch released by Apple in December 2001. At this point, support for what became known as "Classic" ceased. However, "Classic" remains embedded within OS X as an environment emulator. After patching, more ports appeared during the Nmap scan than before despite no further configurations. Nessus also identified additional vulnerabilities following the patching.⁴³

PORT     STATE    SERVICE     VERSION
80/tcp   open     http        Apple Personal Websharing httpd
548/tcp  open     afpovertcp?

The Nessus scan results returned:

• The system can be crashed through a "land" attack, where a packet’s return port and address are identical to the destination port and address.⁴⁴
• The web server is vulnerable to an infinite HTTP request loop resulting in a server crash.
• The web server can be crashed through an HTTP 1.0 format string value in the header request.

NOTE: The previous two vulnerabilities are still present on the patched system.

Apple OS X 10.4 Server

OS X Server actually predates the consumer edition of OS X by nearly two years. After Cheetah was unveiled in 2001, the server edition’s release schedule was altered to follow shortly after the regular releases.⁴⁵ OS X is based upon a variety of technologies, but draws heavily from BSD UNIX and its parallel development in the open source realm Darwin.

OS X Server installs from a single DVD. The network interface is enabled the moment the installation software starts. During installation, Nmap fingerprinted the setup TCP/IP stack as OS X 10.3 or 10.4 and identified an open SSH port. Nessus did not identify any external vulnerabilities.⁴⁶

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 3.8.1p1 (protocol 1.99)

The second phase of installation prompted for services and configurations. Minimal adjustments from default were selected in order to maintain configuration neutrality. Directory usage was defined as "Standalone Server". The additional services Apple File Service, Apple Remote Desktop, FTP, iChat, Mail, NetBoot, Network Time, QuickTime Streaming, Software Update, Web (to include WebDAV and Weblog), Windows File Service, Xgrid Agent and Xgrid Controller were then enabled. After rebooting, the Server Admin utility was used to confirm that selected services were enabled and running.⁴⁷ A quick Nmap scan identified the operating system as between OS X 10.3.9 and 10.4.7 with several open ports and Nessus identified remote vulnerabilities.⁴⁸

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp?
22/tcp   open  ssh         OpenSSH 3.8.1p1 (protocol 2.0)
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC Bind 9.2.2
80/tcp   open  http        Apache httpd 1.3.33 ((Darwin) mod_jk/1.2.6 
                           DAV/1.0.3 mod_ssl/2.8.22 OpenSSL/0.9.7b)
110/tcp  open  pop3        Cyrus pop3d 2.2.12 (Mac OS X 10.4.0)
111/tcp  open  rpcbind      2 (rpc #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp  open  imap        Cyrus IMAP4 2.2.12 (Mac OS X 10.4.0)
311/tcp  open  ssl/http    Apple Server Monitor http interface
427/tcp  open  tcpwrapped
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
548/tcp  open  afp         Apple AFP (name: TESTING; protocol 3.2; Max OS X 10.4.*;)
554/tcp  open  rtsp        Apple QuickTime Streaming Server 5.5 (Mac OS X Final)
2049/tcp open  nfs          2-3 (rpc #100003)
4444/tcp open  krb524?
5900/tcp open  vnc         Apple remote desktop vnc
7070/tcp open  rtsp        Apple QuickTime Streaming Server 5.5 (Mac OS X Final)
8000/tcp open  rtsp        Apple QuickTime Streaming Server 5.5 (Mac OS X Final)
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
8443/tcp open  ssl/http    Apache Tomcat/Coyote JSP engine 1.1

The Nessus scan results returned:

• The OS X version was identified as older than the current 10.4.8 meaning the system has vulnerabilities in the binaries: AFP Server, Bluetooth, CFNetwork, Dashboard, Flash Player, ImageIO, Kernel, launchd, LoginWindow, OpenLDAP, Preferences, QuickDraw Manager, SASL, Security Agent, TCP/IP, WebCore, Workgroup Manager.
• The Directory Services could be remotely shut down by making excessive connections to the server.
• The DNS server is vulnerable to Cache Snooping attacks.
• The web server reveals the existence of user accounts by querying against UserDir.
• The web server is vulnerable to an infinite HTTP request allowing an attacker to exhaust all available resources.⁴⁹
• The web werver crashes when issued a long argument to the Host: field on an HTTP request.
• The JBoss server allows information disclosure about the system configuration.
• The Streaming server allows remote code execution because OpenLink is vulnerable to buffer overflows on two crafted URLs: GET AAA[....]AAA and GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0.

Apple released the 10.4.8 patch for OS X Tiger in September 2006. While correcting many security issues and providing several upgrades, remote vulnerabilities still exist. Nmap identified the same open ports as before (some versions were updated) and correctly identified the system as OS 10.4.8 Tiger. A Nessus scan revealed that many of the original vulnerabilities still exist.⁵⁰

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 4.2 (protocol 2.0)
7070/tcp open  rtsp        Apple QuickTime Streaming Server 5.5.3 (Mac OS X Update)
8000/tcp open  rtsp        Apple QuickTime Streaming Server 5.5.3 (Mac OS X Update)

The Nessus scan results returned:

• The DNS server still allows Cache Snooping.
• The web server allowed downloading the source code of scripts on the server (specifically files served by weblog feature).
• The web server (port 80, 8080, 8443) allows for username enumeration because the ‘UserDir’ option is enabled.
• The web server (port 8080) has HTTP TRACE enabled allowing for a potential cross-site scripting attack.
• The SSL Coyote service on port 8443 is vulnerable to a format string attack on the method name allowing remote execution of code or Denial of Service.
• The web server (port 80, 1085) accepts unlimited requests making the system vulnerable to Denial of Service attacks that consume all available memory.
• The web server (port 80) crashes when issued a long argument to the Host: field on an HTTP request.

The final patches of 2006 were applied through Apple’s Software Update. Nmap did not identify any version changes for services on the detected ports, although Nessus continued to identify remotely accessible vulnerabilities.⁵¹

The Nessus scan results returned:

• The OS X Directory service could be remotely shut down.
• The DNS server permits external cache snooping and allows for recursive queries.
• The web server (port 80, 8080, 8443) allows for username enumeration because the ‘UserDir’ option is enabled.
• The web server (port 8080) has HTTP TRACE enabled allowing for a potential cross-site scripting attack.
• The web server (port 80, 1085) accepts unlimited requests allowing attackers to consume all available resources.
• The web server (port 80) crashes when a long argument is passed to the Host: field of an HTTP request.

Apple OS X 10.4 Tiger

OS X 10.4 was released on a single DVD-ROM. During installation, the network was live from the moment the system powered up. During the first phase, the system responded to only ICMP queries. Nmap was able to fingerprint the TCP/IP stack as belonging to either OS X or FreeBSD. Only after booting the system for the configuration phase was Nessus able to identify security issues. Although the issues were not remotely accessible, Nessus was able to determine the version of OS X and therefore enumerate the problems based on its internal database.⁵²

The Nessus scan results returned:

• Based on the detected version of OS X, the following components have internal issues: AFP Server, Bluetooth, CFNetwork, Dashboard, Finder, Flash Player, ImageIO, Kernel, KeyChain, Launched, LoginWindow, MemberD, OpenLDAP, Preferences, QuickDraw Manager, SASL, Security Agent, Software Update, TCP/IP, WebCore and Workgroup Manager.

By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, Personal File Sharing, Windows Sharing, Personal Web Server, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events and Printer Sharing were all enabled through the Preferences tool. Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled.⁵³ After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.⁵⁴

PORT     STATE    SERVICE        VERSION
21/tcp   open     ftp            tnftpd 20040810
22/tcp   open     ssh            OpenSSH 3.8.1p1 (protocol 1.99)
80/tcp   open     http           Apache httpd 1.3.33 ((Darwin))
139/tcp  open     netbios-ssn    Samba smbd 3.X (workgroup: WORKGROUP)
427/tcp  open     tcpwrapped
445/tcp  open     netbios-ssn    Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp  open     printer
548/tcp  open     afp            Apple AFP (name: TESTING; protocol 3.2; Max OS X 10.4.*;)
631/tcp  open     ipp            CUPS 1.1
5900/tcp open     vnc            Apple remote desktop vnc

The Nessus scan results returned:

• The web server permits user enumeration through evaluating the time response to fail on particular queries.

Apple released 10.4.8, the last major patch for Tiger in September 2006. Upon rebooting the system, Nmap largely detected the same services present that existed prior to the patching with the exception of various filtered ports and an upgrade to the 4.2 edition of SSH. The final patches of 2006, available through Software Update, did not present a differing remote vulnerability footprint than the 10.4.8 update.^55,56

PORT     STATE    SERVICE           VERSION
21/tcp   open     ftp               tnftpd 20040810
22/tcp   open     ssh               OpenSSH 4.2 (protocol 1.99)
80/tcp   open     http              Apache httpd 1.3.33 ((Darwin))
139/tcp  open     netbios-ssn       Samba smbd 3.X (workgroup: WORKGROUP)
427/tcp  open     tcpwrapped
445/tcp  open     netbios-ssn       Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp  open     printer
548/tcp  open     afp               Apple AFP (name: TESTING; protocol 3.2; Max OS X 10.4.*;)
631/tcp  open     ipp               CUPS 1.1
5900/tcp open     vnc               Apple remote desktop vnc

The Nessus scan results returned:

• The SSH service is subject to a PAM timing attack allowing for user enumeratin.
• The web server allows user enumeration through an HTTP response timing issue.

FreeBSD 6.2

FreeBSD was born in the 1993 as a derivative of 386BSD and 4.3BSD-Lite from U.C. Berkeley.⁵⁷ The operating system was intended to bring the power of BSD UNIX to the x86 platform but has expanded to include ports for the additional architectures Opteron, Athlon64, EM64T, ARM, IA-64, PC-98 and UltraSPARC.⁵⁸ It continues to be developed by the various teams throughout the Internet community.

Version 6.2 of the FreeBSD system was released on 26 December, 2006.⁵⁹ The core installation comes on two CDROMs. While installing, the FreeBSD system does not enable the networking hardware by default. Only with the administrator’s permission will selected interfaces be activated. Once enabled, the FreeBSD 6.2 system did not yield itself to any known vulnerabilities. An Nmap scan revealed no open ports and fingerprinted the host as a variant of FreeBSD.⁶⁰ Nessus revealed only that ICMP responds to queries for the localhost time.⁶¹

During the installation phase, a variety of FreeBSD’s stock services were enabled. These included FTP, SSH, telnet, shell, login, finger, ntalk, TFTP, POP3, IMAP4, SMB and NFS. These services were selected as they represent daemons that offer commonly used network features and are directly supported by the installation disc without requiring user configuration. No further configurations were made to the FreeBSD system beyond installing every binary and enabling the aforementioned services.

Upon rebooting the FreeBSD system, the chosen services from the installation were activated. During the scan, the FreeBSD console printed a variety of IPFW log messages regarding excessive traffic on the ports. By default, IPFW is enabled but is not configured for any security measures.⁶² An Nmap scan fingerprinted the system as FreeBSD 6.x (FreeBSD 6.1-RELEASE through 6.2-BETA3 (x86)) and revealed open ports.

PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        WU-FTPD 6.00LS
22/tcp   open  ssh        OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0)
23/tcp   open  telnet     BSD-derived telnetd
79/tcp   open  finger     FreeBSD fingerd
110/tcp  open  tcpwrapped
111/tcp  open  rpcbind     2-4 (rpc #100000)
119/tcp  open  tcpwrapped
139/tcp  open  tcpwrapped
143/tcp  open  tcpwrapped
513/tcp  open  rlogin
514/tcp  open  tcpwrapped
540/tcp  open  tcpwrapped
901/tcp  open  tcpwrapped
2049/tcp open  nfs         2-3 (rpc #100003)

Following the nmap port scan, Nessus was used to conduct a vulnerability assessment of FreeBSD in its operational state.⁶³ Nessus identified the same services and daemon banners that were detected by Nmap. None of the service binaries exhibited any vulnerabilities to remote exploits.

Solaris 10

In 1992, Sun introduced the first version of Solaris with the intent of phasing out the SunOS project.⁶⁴ The original version of Solaris is based on UNIX System V Release 4 which demonstrated a shift from the BSD code base used for building SunOS. Originally, SunOS was designed to operate using Motorolla processors on Sun’s propriety hardware. Sun shifted to the SPARC architecture in 1985 for its workstations and the operating system followed suit.⁶⁵ In a broad move, Sun expanded Solaris to support the x86 environment, allowing their operating system to operate on non-Sun hardware. Support was nearly pulled in 2002, but the x86 architecture survived and remains a mainstay in the Solaris package. Released in the beginning of 2005, Sun claims that Solaris 10 is the world’s most advanced OS because it is "the most efficient, secure, and reliable operating system ever built."⁶⁶

The core of Solaris 10 comes packaged in a single DVD-ROM or as a series of several CDROMs.⁶⁷ For installation purposes, the "Enable Remote Services" and "Entire Distribution" options were enabled to install the entire, default package of binaries equating to roughly four gigabytes. Immediately upon entering the configuration screens, Solaris prompted for enabling the network adapters. After enabling ethernet, an Nmap scan revealed zero open ports but did fingerprint the operating system as Sun Solaris 10|8|9.

When the Solaris 10 system went live, a variety of services were already present and enabled on the operating system. Using Nmap, a complete list of default servers and remote procedure call entry points were identified in addition to fingerprinting the system as a variant of Solaris. The Nessus scan revealed four immediate security holes.⁶⁸

PORT      STATE SERVICE          VERSION
21/tcp    open  ftp              Solaris ftpd
22/tcp    open  ssh              SunSSH 1.1 (protocol 2.0)
23/tcp    open  telnet           BSD-derived telnetd
25/tcp    open  smtp             Sendmail 8.13.7+Sun/8.13.7
79/tcp    open  finger           Sun Solaris fingerd
111/tcp   open  rpcbind           2-4 (rpc #100000)
513/tcp   open  rlogin
514/tcp   open  tcpwrapped
587/tcp   open  smtp             Sendmail 8.13.7+Sun/8.13.7
4045/tcp  open  nlockmgr          1-4 (rpc #100021)
6000/tcp  open  X11               (access denied)
6112/tcp  open  dtspc?
7100/tcp  open  font-service     Sun Solaris fs.auto
32774/tcp open  sometimes-rpc11?
32775/tcp open  fmproduct         1 (rpc #1073741824)
32776/tcp open  status            1 (rpc #100024)
32777/tcp open  status            1 (rpc #100024)
32778/tcp open  dmispd            1 (rpc #300598)
32779/tcp open  dmispd            1 (rpc #300598)
32780/tcp open  snmpXdmid         1 (rpc #100249)
32786/tcp open  metad             1-2 (rpc #100229)
32787/tcp open  sometimes-rpc27?

The Nessus scan results returned:

• The SMTP server did not respond to HELO but did respond to EXPN and VRFY commands which allow an attacker to discover delivery addresses and recipient names.
• The SNMP server is configured with a default community name that reveals too much information remotely.
• The SMTP server on port 587 is susceptible to a buffer overflow when a long argument is passed in the MAIL FROM command which may permit remote code execution or denial of service.
• The rpc.snmpXdmid command in the RPC service is vulnerable to a heap overflow allowing remote attackers to obtain a root shell.
• The rpc.cmsd command in the RPC service is vulnerable to an integer overflow allowing remote execution of arbitrary code with root privileges.

Fedora Core 6

Red Hat Linux first appeared on the Internet as a Beta version on Halloween of 1994. Seven months later in 1995, Red Hat Linux became an official distribution.⁶⁹ Red Hat’s approach to development differed from other distributions. Development on the Red Hat distribution was made entirely in-house based on community feedback while open development, called the Fedora Linux Project, paralleled it. This pattern continued until 2003 when Red Hat merged the projects, establishing Red Hat Enterprise Linux and the Fedora Core Project.⁷⁰

In October 2006, Fedora Core released version 6 of the distribution as a downloadable DVD-ROM image.⁷¹ During installation, the Fedora GUI prompted for options to which Office & Productivity, Software Development and Web Server were selected while Fedora Extras were not. When prompted for a detailed customization, the DNS server, FTP server, Legacy servers, Mail server, MySQL server, Network Servers, News server, PostgreSQL server , Printing server, Web server and Windows File Servers were all enabled. During this phase, Nmap was unable to identify any open ports and could not fingerprint the operating system. Nessus did not turn up any remote vulnerabilities.

After the first reboot, the network card came on-line for a final stage of installation configurations. Fedora’s installer prompted for security configurations on the firewall whereupon ports were opened for FTP, Mail, NFS, SSH, Samba, HTTPS, telnet and HTTP. No changes were made to the default SELinux policies.⁷² Nmap could not identify the operating system, guessing incorrectly Sun Solaris 10. Unlike other Nmap scans which took only seconds, this scan lasted for 26 minutes and resulted in numerous filtered ports which is behavior indicative of a default firewall. A Nessus scan against Fedora 6 during the configuration process revealed no direct vulnerabilities to the host itself.⁷³

PORT      STATE    SERVICE               VERSION
22/tcp    open     ssh                   OpenSSH 4.3 (protocol 2.0)

Despite the previous configuration prompts, the chosen servers were still not enabled. All servers were activated using the GNOME GUI. Nmap was able to identfy the open ports, but continued to misidentify the fingerprint as a Solaris system. Nessus found no remote vulnerabilities on the Fedora system.⁷⁴

PORT      STATE    SERVICE         VERSION
21/tcp    open     ftp             vsftpd 2.0.5
22/tcp    open     ssh             OpenSSH 4.3 (protocol 2.0)
80/tcp    open     http?
139/tcp   open     netbios-ssn     Samba smbd 3.X (workgroup: MYGROUP)
445/tcp   open     netbios-ssn     Samba smbd 3.X (workgroup: MYGROUP)
2049/tcp  open     nfs              2-4 (rpc #100003)

Slackware 11.0

Slackware emerged onto the Linux scene in 1993 as Patrick Volkerding’s project, first appearing as a posting in the comp.os.linux newsgroup.⁷⁵ During the early years of Linux, distributions tended to vary widely with little regard towards standardization. Slackware took the approach of maintaining a very "BSD-like" file organization and naming convention. Additionally, while other distributions opted for including bleeding edge binaries, Slackware tended to lag in binary versions by choosing more stable and patched releases. Furthermore, Slackware tended to not include a plethora of packages, opting instead to fit the entire distribution on as small a footprint as possible.⁷⁶ Slackware is predominantly an x86 based distribution, although ports have been made to other architectures.

Version 11.0 of Slackware was released in October of 2006.⁷⁷ The distribution comes as three base CDROMs, three source CDROMs or one compilation DVD-ROM.⁷⁸ Networking configurations are made during the installation, but the actual network interface is not activated during this phase. Slackware’s installation menus also prompt for which services to enable in addition to the defaults (which include SSH and Sendmail). Using the installer menu, the Bind DNS, CUPS print, Apache web, MySQLd database, RPC (NFS) and Samba servers were also enabled.

Immediately upon rebooting the Slackware system, an Nmap scan identified the system as Linux 2.4.X and determined the running services:⁷⁹

PORT STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 4.4 (protocol 1.99)
25/tcp  open  smtp    Sendmail 8.13.8/8.13.8
37/tcp  open  time    (32 bits)
53/tcp  open  domain
80/tcp  open  http    Apache httpd 1.3.37 ((Unix))
111/tcp open  rpcbind 2 (rpc #100000)
113/tcp open  ident   OpenBSD identd
587/tcp open  smtp    Sendmail 8.13.8/8.13.8
631/tcp open  ipp     CUPS 1.1

Slackware 11.0 supports more "out-of-box" services than those prompted for during the installation. For consistency of binary testing, the /etc/inetd.conf file was manually edited to enable basic UNIX services and servers. Additional servers include FTP, telnet, shell, login, ntalk, POP3, IMAP2, uucp, tftp, bootps, finger, and NetBIOS.^80,81 Aside from enabling the services, no configurations were made to the servers themselves in order to test them in a default setting. Nmap was used again to determine the additional service visibility:

PORT    STATE SERVICE    VERSION
21/tcp  open  ftp        vsftpd 2.0.5
21/tcp  open  ftp?       (NOTE: This was an extra scan against Professional FTP)
23/tcp  open  telnet     Linux telnetd
79/tcp  open  finger     Linux fingerd
80/tcp  open  http       Apache httpd 1.3.37 ((Unix))
110/tcp open  pop3       Openwall popa3d
139/tcp open  tcpwrapped
143/tcp open  imap       UW Imapd 2004.357
513/tcp open  login?
514/tcp open  tcpwrapped
540/tcp open  tcpwrapped

The Nmap port scan was followed by a Nessus vulnerability assessment of Slackware 11.0 in the operational state.⁸² Nessus was able to identify the same services and daemon banners (although with a little more detail) than were detected by Nmap.

The Nessus scan results returned:

• The Very Secure FTP server permitted anonymous connections by default.⁸³
• The telnet server is susceptible to the TESO buffer overflow when given excessively large "are you there" commands which could lead to remote root access.
• The DNS server is vulnerable to Cache Snooping attacks which allow a third party to ascertain what hosts have recently been resolved.

Suse Enterprise 10

SuSE began life as S.u.S.E. (Software- und System-Entwicklung), a German translation of Slackware back in 1992. The system continued to be based upon Slackware while pulling elements from RedHat and Jurix distributions until becoming unique in its own right by 1996.⁸⁴ Novell completed an acquisition of SuSE in 2004 attempting to leverage their position to force out competition.⁸⁵ Much like RedHat, SuSE now exists as the parallel work of the OpenSUSE project consisting entirely of open source projects and Novell’s SuSE Enterprise which includes proprietary applications.⁸⁶

SuSE Linux Enterprise ships on a single DVD from Novell.⁸⁷ The network card was detected during the configuration phase of installation but the system prompted before enabling it. SuSE’s network setup included a firewall configuration that is enabled by default. Nmap identified the system as Linux 2.6.x and only located one closed port. Strangely, Nmap fingerprinted the SuSE installer as Slackware 11.0, indicating the distribution still draws heavily from its Slackware roots. Nessus found no open vulnerabilities during the installation phase of SuSE.⁸⁸

PORT    STATE  SERVICE VERSION 
113/tcp closed auth

SuSE did not officially reboot following the second phase of the installation. Rather, the system restarted running services and then allowed for a user login. Services were enabled using the control panel, which installed binary images from the installation DVD. DHCP, DNS, HTTP (with modules for PHP, Perl, Python and Ruby), LDAP2, NFS, NIS, Samba, Slp and TFTP were installed with port openings in the firewall for each. With the servers enabled and access through the firewall opened, Nmap identified the system as Linux 2.4.22 along with the appropriate ports for the services. A subsequent Nessus scan for remotely accessible vulnerabilities detected minor issues.⁸⁹

PORT     STATE  SERVICE     VERSION
53/tcp   open   domain
80/tcp   open   http        Apache httpd 2.2.0 ((Linux/SUSE))
111/tcp  open   rpcbind      2 (rpc #100000)
113/tcp  closed auth
139/tcp  open   netbios-ssn Samba smbd 3.X (workgroup: TUX-NET)
389/tcp  open   ldap        OpenLDAP 2.2.X
427/tcp  open   svrloc?
445/tcp  open   netbios-ssn Samba smbd 3.X (workgroup: TUX-NET)
636/tcp  closed ldapssl
731/tcp  open   mountd       1-3 (rpc #100005)
2049/tcp open   nfs          2-4 (rpc #100003)

The Nessus scan results returned:

• The web server was configured by default with TRACK method support allowing a cross-site scripting attack.
• The DNS server is vulnerable to Cache Snooping attacks which allow a third party to ascertain what hosts have recently been resolved.

Ubuntu 6.10 Desktop/Server

In October of 2004, the first version of Ubuntu was released as a distribution fork from the Debian project.⁹⁰ Ubuntu adopted a philosophy of regularly scheduled releases (six months), moderately long run support (eighteen months) and ultimately that it should "just work." As such, Ubuntu is tied to GNOME releases, includes the latest editions of free binary packages and updates itself via the Internet. Using the Debian code base, Ubuntu works on a variety of architectures including x86, AMD64, Sun UltraSPARC, PowerPC and OpenPower.⁹¹

Version 6.10 was released in October 2006 as a single CDROM image.⁹² Ubuntu utilizes the LiveCD notion for an environment and enables the network device immediately, even before the installation GUI appears. However, a preliminary Nmap scan against this configuration reveals there are no remotely accessible network services available on the machine. The Ubuntu installer only responds to an ICMP ping. Additionally, the TCP/IP stack did not reveal its fingerprint for system identification. Even after rebooting the system, Ubuntu’s Edgy desktop edition did not present any remote entry points into the system. A quick check with netstat -l revealed that all socket activity on the system was limited to localhost UNIX streams. A quick Nmap scan identified the Ubuntu system as having no open ports and could only fingerprint the system as Linux 2.6. Nessus was unable to identify any vulnerable risks to the host in the default configurations.

Installing the server edition of Ubuntu 6.10 revealed the same installation environment only without the GUI. The system was only visible on-line to an ICMP ping but did not reveal any open network ports. Ubuntu’s server edition prompted for installing a DNS server and LAMP server (Linux Apache MySQL PHP). While useful, these services would not fully comprise the needs of a Linux server. Following a reboot, the CUPS, SMB, SSH, and VSFTPd services were added using apt-get. Although this deviates from the standard of testing only shipped binaries, Ubuntu relies on remote packages to fit the entire release onto a single CDROM. Despite having to manually add the servers, no further configurations were made. Nmap identified the kernel as linux 2.6.x and estimated the distribution to be either Ubuntu or Debian. Nessus was then used to scan the vulnerabilities present on the Ubuntu server.⁹³

PORT   STATE SERVICE VERSION
21/tcp  open  ftp         vsftpd 2.0.4
22/tcp  open  ssh         OpenSSH 4.3p2 Debian 5ubuntu1 (protocol 2.0)
53/tcp  open  domain
80/tcp  open  http        Apache httpd 2.0.55 ((Ubuntu) PHP/5.1.6)
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

The Nessus scan results returned:

• The Apache2 server was configured by default with debugging enabled and TRACK method support allowing a cross-site scripting attack.
• The DNS server is vulnerable to Cache Snooping attacks which allow a third party to ascertain what hosts have recently been resolved.

Closing

While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream – Windows, OS X, Linux and UNIX. Each system carries its own baggage of vulnerabilities ranging from local exploits and user introduced weaknesses to remotely available attack vectors.

As far as "straight-out-of-box" conditions go, both Microsoft’s Windows and Apple’s OS X are ripe with remotely accessible vulnerabilities. Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services. Once patched, however, both companies support a product that is secure, at least from the outside. The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each system generally maintained its integrity against remote attacks. Compared with the Microsoft and Apple products, however, UNIX and Linux systems tend to have a higher learning curve for acceptance as desktop platforms.

When it comes to business, most systems have the benefit of trained administrators and IT departments to properly patch and configure the operating systems and their corresponding services. Things are different with home computers. The esoteric nature of the UNIX and Linux systems tend to result in home users with an increased understanding of security concerns. An already "hardened" operating system therefore has the benefit of a knowledgeable user base. The more consumer oriented operating systems made by Microsoft and Apple are each hardened in their own right. As soon as users begin to arbitrarily enable remote services or fiddle with the default configurations, the systems quickly become open to intrusion. Without a diligence for applying the appropriate patches or enabling automatic updates, owners of Windows and OS X systems are the most susceptible to quick and thorough remote violations by hackers.^94,95

1 Patrizio, Andy. "Surprise, Microsoft Listed as Most Secure OS", internetnews.com, accessed March 2007 from http://www.internetnews.com/security/article.php/3667201

2 Lemos, Robert. "Vulnerability Tallies Surge in 2006", SecurityFocus, accessed March 2007 from http://www.securityfocus.com/news/11436

3 "OS Vulnerabilities Drop in 2006", ComputerPartner, accessed March 2007 from http://www.computerpartner.nl/article.php?news=int&id=4690

4 "SANS Top-20 Internet Security Attack Targets (2006 Annual Update)", SANS Institute, accessed March 2007 from http://www.sans.org/top20/

5 Admittedly, Mac OS9 is no longer a flagship product, however, it is bundled with OSX as "Classic."

6 Higgins, Kelly Jackson. "Rift Widens Over Bug Disclosure", Dark Reading, accessed January 2007 from http://www.darkreading.com/document.asp?doc_id=113737&WT.svl=news1_22

7 The Metasploit Project, accessed February 2007 from http://www.metasploit.com/

8 Vea, Matthew. "Operating System Exploits of 2004", OmniNerd, accessed January 2007 from http://www.omninerd.com/articles/Operating_System_Exploits_of_2004

9 Vea, Matthew. "Rootkit Analysis: What Is A Rootkit", VnutZ, accessed January 2007 from http://www.vnutz.com/articles/r00tkit_Analysis_What_Is_A_Rootkit

10 Markoff, John. "Attack of Zombie Computers Is Growing Threat", New York Times, accessed January 2007 from http://www.nytimes.com/2007/01/07/technology/07net.html?_r=0

11 Berinato, Scott. "Attack of the Bots", Wired Magazine, accessed January 2007 from http://www.wired.com/wired/archive/14.11/botnet.html

12 "Browser Statistics", W3Schools, accessed February 2007 from http://www.w3schools.com/browsers/browsers_stats.asps

13 "Operating System Market Share for Year 2006", NetApplications, accessed February 2007 from http://marketshare.hitslink.com/report.aspx?qprid=2&qpmr=15&qpdt=1&qpct=3&qptimeframe=Y&qpsp=2006

14 Network Mapper, Insecure.org, accessed January 2007 from http://insecure.org/nmap/

15 Nmap MAN Page, Insecure.org, accessed January 2007 from http://insecure.org/nmap/man/

16 Nessus: the Network Vulnerability Scanner, Nessus.org, accessed January 2007 from http://www.nessus.org/about/

17 "Windows XP Professional System Requirements", Microsoft, accessed February 2007 from http://www.microsoft.com/windowsxp/pro/upgrading/sysreqs.mspx

18 Nessus Output: Windows XP Installation Exploits

19 "Windows XP and SP2: Slipstreaming SP2 into your Windows XP Setup Files", Tech-Recipes, accessed February 2007 from http://www.tech-recipes.com/windows_installation_tips587.htmltips587.html

20 Nessus Output: Windows XP Post-Installation Exploits

21 Nessus Output: Windows XP Service Pack 2 Exploits

22 Nessus Output: Windows XP Patch Exploits

23 Thurrott, Paul. "Windows Server 2003: The Road To Gold", SuperSite for Windows, accessed February 2007 from http://www.winsupersite.com/reviews/winserver2k3_gold1.aspgold1.asp

24 Thurrott, Paul. "Microsoft Sets Windows Server 2003 Release Date", Windows IT Pro, accessed February 2003 from http://www.windowsitpro.com/Article/ArticleID/37643/37643.html

25 "Compare the Editions of Windows Server 2003", Microsoft, accessed February 2007 from http://www.microsoft.com/windowsserver2003/evaluation/features/comparefeatures.mspx

26 Nessus Output: Windows Server 2003 Install Exploits

27 Nessus Output: Windows Server 2003 Default Exploits

28 Nessus Output: Windows Server 2003 Service Exploits

29 "DNS Cache Snooping", Security Space, accessed March 2007 from http://www.securityspace.com/smysecure/catid.html?id=12217

30 "Windows Server 2003 Service Pack 1 Product Overview", Microsoft, accessed February 2007 from http://download.microsoft.com/download/d/8/5/d850add9-0a38-45bd-a0b4-fd15c6f08a39/SP1ProductOverview_120904.doc120904.doc

31 Nmap’s fingerprinting further identified the system as running Cisco embedded, Bay Networks embedded, Netopia embedded, Microsoft Windows 95/98/ME|NT/2K/XP with the specific OS details of Cisco Catalyst 1900 switch, Bay networks 350-450 switch, or Netopia DSL/ISDN router, Microsoft Windows 98SE + IE5.5sp1, Microsoft Windows 2000 Professional (Russian) SP2, Microsoft Windows XP SP2 or 2003 Server.

32 Nessus Output: Windows Server 2003 Service Pack 1 Exploits

33 Nessus Output: Windows Server 2003 Patch Exploits

34 "Security in Windows Vista: Setting a New Standard", Microsoft, accessed February 2007 from http://www.microsoft.com/security/windowsvista/default.mspx

35 "Windows Vista", Wikipedia, accessed February 2007 from http://en.wikipedia.org/wiki/Windows_Vista

36 Greene, Thomas. "Vista First Look: Bugs and Confusion", TheRegister, accessed February 2007 from http://www.theregister.co.uk/2007/02/14/pricey_beta_bugger/

37 "Choose An Edition"’, Microsoft, accessed February 2007 from http://www.microsoft.com/windows/products/windowsvista/editions/default.mspx

38 Nessus Output: Windows Vista Default Exploits

39 "Strategies", KernelThread, accessed March 2007 from http://www.kernelthread.com/mac/oshistory/9.html

40 Nmap also identified the TCP/IP stack as matching HP HP-UX 11.X or variants of Sun Solaris 2.X, 7, 8, 9 or 10.

41 Nessus Output: Apple MacOS9 Default Exploits

42 "Explanation of the ’Spank Attack’", w00w00, accessed March 2007 from http://www.w00w00.org/files/advisories/spank/spank.txt

43 Nessus Output: Apple MacOS9 Patch Exploits

44 "The Land Attack (IP DOS)", Insecure.org, accessed February 2007 from http://insecure.org/sploits/land.ip.DOS.html

45 Amit Singh. "Towards Mac OS X", KernelThread, accessed February 2007 from http://www.kernelthread.com/mac/oshistory/10.html

46 Nessus Output: Apple OSX Server Install Exploits

47 The web server featured a variety of built-in modules, however, only the naturally selected modules were kept in effect.

48 Nessus Output: Apple OSX Server Default Exploits

49 Additional servers utilizing HTTP were vulnerable to this defect as well – specifically the WebObjects available on port 1085.

50 Nessus Output: Apple OSX Server 10.4.8 Exploits

51 Nessus Output: Apple OSX Server Patch Exploits

52 Nessus Output: Apple OSX Tiger Install Exploits

53 "Setting Up a Firewall in FreeBSD 4.0 Using IPFW", DEFCON1, accessed March 2007 from http://www.defcon1.org/html/Networking_Articles/Firewall-Ipfw/firewall-ipfw.html

54 Nessus Output: Apple OSX Tiger Default Exploits

55 Nessus Output: Apple OSX Tiger 10.4.8 Exploits

56 Nessus Output: Apple OSX Tiger Patched Exploits

57 "About the FreeBSD Project", FreeBSD.org, accessed February 2007 from http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/history.html

58 "About FreeBSD", FreeBSD.org, accessed January 2007 from http://www.freebsd.org/about.html

59 ISO Images of FreeBSD 6.2 are available from FreeBSD.org, accessed December 2006 from ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/6.2/

60 Specifically, Nmap fingerprinted the host as: FreeBSD 5.4 or 5.5 (x86), FreeBSD 6.1-RELEASE through 6.2-BETA3 (x86), FreeNAS 0.671 (runs FreeBSD 6.1-STABLE).

61 Nessus Output: FreeBSD 6.2 Install Exploits

62 "Chapter 26: Firewalls", FreeBSD Handbook, accessed January 2007 from http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

63 Nessus Output: FreeBSD 6.2 Server Exploits

64 Bezroukov, Nikolai. "Solaris History", softpanorama.org, accessed February 2007 from http://www.softpanorama.org/Solaris/solaris_history.shtml

65 "SPARC", CPU-Collection, accessed March 2007 from http://www.cpu-collection.de/?tn=1&l0=cl&l1=SPARC

66 "Solaris 10 Operating System Features", solaris.com, accessed February 2007 from http://www.sun.com/software/solaris/features.jsp

67 ISO Images of Solaris are available from Sun.com, accessed January 2007 from http://www.sun.com/software/solaris/get.jsp

68 Nessus Output: Solaris 10.0 Server Exploits

69 "History of Red Hat Linux", FedoraProject.org, accessed February 2007 at http://fedoraproject.org/wiki/History

70 "Red Hat Linux", Wikipedia, accessed February 2007 from http://en.wikipedia.org/wiki/Red_Hat_LinuxLinux

71 ISO Images of Fedora Core are available from RedHat, accessed December 2006 from http://fedora.redhat.com/Download/

72 "Security Enhanced Linux", NSA, accessed March 2007 from http://www.nsa.gov/selinux/

73 Nessus Output: Fedora Core 6 Install Exploits

74 Nessus Output: Fedora Core 6 Server Exploits

75 Dreilinger, Sean. "Slackware", Linux Gazette, accessed February 2007 from http://linuxgazette.net/issue17/slackware.html

76 For many years, it was still possible to download Slackware installations as a set of floppy disks while competing distributions were forced into compression to fit onto a CDROM.

77 "A Brief Look at Slackware 11.0", Blogspot, accessed February 2007 from http://linuxhelp.blogspot.com/2006/10/brief-look-at-slackware-110.html

78 ISO Images of Slackware are available from Slackware, accessed December 2006 from http://www.slackware.com/getslack/torrents.php

79 Nmap’s fingerprinting further identified the system as matching Linksys Linux 2.4.X, Asus Linux 2.4.X, Maxtor Linux 2.4.X and detailed it as Linux 2.4.18-10 (Red Hat 7.3), Linux 2.4.20 – 2.4.32, Linux-based embedded device (Linksys WRT54GL WAP, Buffalo AirStation WLA-G54 WAP, Maxtor Shared Storage Drive, or Asus Wireless Storage Router. This implies those firmware solutions utilize a variant of Slackware’s compilation as their embedded core.

80 Slackware ships with both the Very Secure FTP server and Professional FTP servers.

81 Even though Samba was enabled during installation, the Slackware system did not enable the NetBIOS lines in /etc/inetd.conf.

82 Nessus Output: Slackware 11.0 Server Exploits

83 Both the Professional FTP and Very Secure FTP servers were tested separately.

84 "SUSE Linux", Wikipedia, accessed February 2007 from http://en.wikipedia.org/wiki/SUSE_Linux

85 "Novell Completes Acquisition of SUSE Linux", Novell, accessed February 2007 from http://www.novell.com/news/press/archive/2004/01/pr04003.html

86 OpenSUSE, accessed February 2007 from http://www.opensuse.org/

87 ISO images available for download from Novell, accessed February 2007 from http://www.novell.com/products/server/eval.html

88 Nessus Output: SuSE 10.0 Install Exploits

89 Nessus Output: SuSE 10.0 Server Exploits

90 "Software Distributions Based on Debian", Debian, accessed March 2007 from http://www.debian.org/misc/children-distros#ubuntu

91 Ubuntu, Ubuntu.com, accessed January 2007 from http://www.ubuntu.com/

92 ISO Images of Ubuntu Desktop and Ubuntu Server are available from Ubuntu, accessed December 2006 from http://www.ubuntu.com/products/GetUbuntu/download?action=show&redirect=download

93 Nessus Output: Ubuntu 6.10 Server Exploits

94 Lemos, Robert. "Bot Infected PCs Get A Refresh", SecurityFocus, accessed March 2007 from http://www.securityfocus.com/brief/395

95 Lemos, Robert. "Bots Surge Ahead in March", SecurityFocus, accessed March 2007 from http://www.securityfocus.com/brief/466