Does not appear to be (too) malicious ...

Reply: Mehmet Erol Sanliturk : "Re: Does not appear to be (too) malicious ..."
In reply to: Mario Lobo : "Re: Hello"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Stefan Esser <se_at_freebsd.org>
Date: Sun, 28 Nov 2021 09:16:25 UTC
Am 28.11.21 um 02:06 schrieb Mario Lobo:
> On Sat, Nov 27, 2021, 20:27 George Mitchell <george+freebsd@m5p.com> wrote:
> 
>> On 11/27/21 17:40, Obsto Clades via freebsd-hackers wrote:
>>> I hacked on the FreeBSD source code to produce a version of the OS that
>>> cannot be remotely hacked.  Before you tell me that is impossible, I
>>> have an answer to that response on my FAQ page.
>>>
>>> If you are interested in checking out my OS, you can find instructions
>>> on my site's home page:  https://obstoclades.tech/
>>>
>>> I invite you to check it out.
>>>
>>
>> Hmm, my mother told me never to click on links in strange emails ...
>> -- George
>>
> 
> curl http://obstoclades.tech
[...]
>        <p class="red">Connection denied by Geolocation Setting.</p>
>        <p><b> Reason: </b> Blocked country: <font color="red">  </font> </p>
>        <p>The connection was denied because this country is blocked in the
> Geolocation settings.</p>
>        <p>Please contact your administrator for assistance.</p>
>      </div>
>      <div class="band">WatchGuard Technologies, Inc.</div>
>    </div>
>  </body>
> </html>

$ fetch --no-verify-peer -v -o /tmp/obstoclades.html https://obstoclades.tech
resolving server address: obstoclades.tech:443
SSL options: 82004854
Verify hostname
TLSv1.3 connection established using TLS_AES_256_GCM_SHA384
Certificate subject: /CN=obstoclades.tech
Certificate issuer: /C=US/O=Let's Encrypt/CN=R3
requesting https://obstoclades.tech/
fetch: https://obstoclades.tech: size of remote file is not known
local size / mtime: 34916 / 1638088913
/tmp/obstoclades.html                             34 kB  181 kBps    00s

There is actual contents in this file, and it does not seem to contain any
malicious parts. It starts with:

<!DOCTYPE html>
<!--
      File:  ObstoClades.html
      Copyright (c) 2021 Obsto Clades, LLC
 -->
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <title>Security is a Joke</title>
    <meta name="description"
          content="This demonstrates a modified BSD Operating System designed
to prevent remote hacking of single-purpose computer systems.">
    <link rel="stylesheet" type="text/css" href="/css/obstoclades.css"/>
    <link rel="icon" type="image/x-icon" href="/favicon.ico"/>
    <script
src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
    <script src="js/obstoclades.js" defer="defer"></script>
  </head>

And besides the jquery.min.js dowloaded from ajax.googleapis.com only the
following short and apparently benign script is downloaded as obstoclades.js:

/*
 * File:  obstoclades.js
 * Copyright (c) 2017 Obsto Clades, LLC
 */

$(document).ready(function()
{
    var $content = $(".content").hide();
    $(".img").on("click", function (e)
    {
        $(this).parent().parent().toggleClass("expanded");
        var ttt = $(this).parent().children(".tooltiptext");
        if ($(this).parent().parent().hasClass("expanded"))
        {
                ttt.replaceWith("<span class=\"tooltiptext\">Click to
close</span>");
        }
        else
        {
                ttt.replaceWith("<span class=\"tooltiptext\">Click to
open</span>");
        }
        $(this).parent().parent().next().slideToggle();
    });
    var textHeight = $("#left-side-header-text").height();
    $("#old_english_sheepdog").height(textHeight).width(textHeight);
    $("#button").click(function()
    {
        $("#contactus-form").submit();
    })
});

He invites to attack his server using a SSH login with provided credentials,
and offers US$1000 for any successful modification of the test server. See
the following video, which shows that root on the consonle and root via su
in the SSH session get quite different environments:

https://obstoclades.tech/video/demo-video.mp4

This looks like a setup with lots of restrictions applied, probably noexec
mounts of temporary file systems and the like, possibly jails and/or MAC
restrictions.

He thinks that an embedded system configured that way could not be attacked,
but explains that his concept is limited to e.g. IoT use cases (what he
calls "single-purpose computer system").

Anyway, I could not find any malicious content on the web server. Accessing
with a SSH session (obviously configured to not allow backwards tunneling)
should also not be too dangerous from a dumb terminal (but beware of escape
sequence attacks possible with ANSI terminals, e.g. reprogramming of function
keys with "ESC[code;string;...p").

It looks to me like kind of a honeypot setup gathering attack attempts to
see whether a throw-away system can withstand them. All attack attempts are
logged, either to learn how to perform them, or to actually improve the
security of his protection concept in case of a successful break-in.

Regards, STefan