Re: Does not appear to be (too) malicious ...

Reply: Marcelo Araujo : "Re: Does not appear to be (too) malicious ..."
In reply to: Stefan Esser : "Does not appear to be (too) malicious ..."
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mehmet Erol Sanliturk <m.e.sanliturk_at_gmail.com>
Date: Sun, 28 Nov 2021 10:13:25 UTC
On Sun, Nov 28, 2021 at 12:17 PM Stefan Esser <se@freebsd.org> wrote:

> Am 28.11.21 um 02:06 schrieb Mario Lobo:
> > On Sat, Nov 27, 2021, 20:27 George Mitchell <george+freebsd@m5p.com>
> wrote:
> >
> >> On 11/27/21 17:40, Obsto Clades via freebsd-hackers wrote:
> >>> I hacked on the FreeBSD source code to produce a version of the OS that
> >>> cannot be remotely hacked.  Before you tell me that is impossible, I
> >>> have an answer to that response on my FAQ page.
> >>>
> >>> If you are interested in checking out my OS, you can find instructions
> >>> on my site's home page:  https://obstoclades.tech/
> >>>
> >>> I invite you to check it out.
> >>>
> >>
> >> Hmm, my mother told me never to click on links in strange emails ...
> >> -- George
> >>
> >
> > curl http://obstoclades.tech
> [...]
> >        <p class="red">Connection denied by Geolocation Setting.</p>
> >        <p><b> Reason: </b> Blocked country: <font color="red">  </font>
> </p>
> >        <p>The connection was denied because this country is blocked in
> the
> > Geolocation settings.</p>
> >        <p>Please contact your administrator for assistance.</p>
> >      </div>
> >      <div class="band">WatchGuard Technologies, Inc.</div>
> >    </div>
> >  </body>
> > </html>
>
> $ fetch --no-verify-peer -v -o /tmp/obstoclades.html
> https://obstoclades.tech
> resolving server address: obstoclades.tech:443
> SSL options: 82004854
> Verify hostname
> TLSv1.3 connection established using TLS_AES_256_GCM_SHA384
> Certificate subject: /CN=obstoclades.tech
> Certificate issuer: /C=US/O=Let's Encrypt/CN=R3
> requesting https://obstoclades.tech/
> fetch: https://obstoclades.tech: size of remote file is not known
> local size / mtime: 34916 / 1638088913
> /tmp/obstoclades.html                             34 kB  181 kBps    00s
>
> There is actual contents in this file, and it does not seem to contain any
> malicious parts. It starts with:
>
> <!DOCTYPE html>
> <!--
>       File:  ObstoClades.html
>       Copyright (c) 2021 Obsto Clades, LLC
>  -->
> <html lang="en">
>   <head>
>     <meta charset="UTF-8">
>     <title>Security is a Joke</title>
>     <meta name="description"
>           content="This demonstrates a modified BSD Operating System
> designed
> to prevent remote hacking of single-purpose computer systems.">
>     <link rel="stylesheet" type="text/css" href="/css/obstoclades.css"/>
>     <link rel="icon" type="image/x-icon" href="/favicon.ico"/>
>     <script
> src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
> "></script>
>     <script src="js/obstoclades.js" defer="defer"></script>
>   </head>
>
> And besides the jquery.min.js dowloaded from ajax.googleapis.com only the
> following short and apparently benign script is downloaded as
> obstoclades.js:
>
> /*
>  * File:  obstoclades.js
>  * Copyright (c) 2017 Obsto Clades, LLC
>  */
>
> $(document).ready(function()
> {
>     var $content = $(".content").hide();
>     $(".img").on("click", function (e)
>     {
>         $(this).parent().parent().toggleClass("expanded");
>         var ttt = $(this).parent().children(".tooltiptext");
>         if ($(this).parent().parent().hasClass("expanded"))
>         {
>                 ttt.replaceWith("<span class=\"tooltiptext\">Click to
> close</span>");
>         }
>         else
>         {
>                 ttt.replaceWith("<span class=\"tooltiptext\">Click to
> open</span>");
>         }
>         $(this).parent().parent().next().slideToggle();
>     });
>     var textHeight = $("#left-side-header-text").height();
>     $("#old_english_sheepdog").height(textHeight).width(textHeight);
>     $("#button").click(function()
>     {
>         $("#contactus-form").submit();
>     })
> });
>
> He invites to attack his server using a SSH login with provided
> credentials,
> and offers US$1000 for any successful modification of the test server. See
> the following video, which shows that root on the consonle and root via su
> in the SSH session get quite different environments:
>
> https://obstoclades.tech/video/demo-video.mp4
>
> This looks like a setup with lots of restrictions applied, probably noexec
> mounts of temporary file systems and the like, possibly jails and/or MAC
> restrictions.
>
> He thinks that an embedded system configured that way could not be
> attacked,
> but explains that his concept is limited to e.g. IoT use cases (what he
> calls "single-purpose computer system").
>
> Anyway, I could not find any malicious content on the web server. Accessing
> with a SSH session (obviously configured to not allow backwards tunneling)
> should also not be too dangerous from a dumb terminal (but beware of escape
> sequence attacks possible with ANSI terminals, e.g. reprogramming of
> function
> keys with "ESC[code;string;...p").
>
> It looks to me like kind of a honeypot setup gathering attack attempts to
> see whether a throw-away system can withstand them. All attack attempts are
> logged, either to learn how to perform them, or to actually improve the
> security of his protection concept in case of a successful break-in.
>
> Regards, STefan
>


The message above is really a very good one because of its information
content .

As a response to my message in the following link

https://lists.freebsd.org/archives/freebsd-hackers/2021-November/000515.html

Obsto Clades asked me with a private message , approximately ,

" I am connecting to the web site ... without any such message .

Do you have more information ? " .

I replied , "No ."


When the following link ( please notice that  it is  http , not https )


http://obstoclades.tech/


the response of Firefox ( 57.0.1) is the following :

--------------------------------------------------------

Connection denied by Geolocation Setting.

* Reason: * Blocked country:

The connection was denied because this country is blocked in the
Geolocation settings.

Please contact your administrator for assistance.
WatchGuard Technologies, Inc.


--------------------------------------------------------



When the following link ( please notice that  it is  https , not http )


https://obstoclades.tech/video/demo-video.mp4


the response of Firefox ( 57.0.1) is the following :

--------------------------------------------------------


Your connection is not secure

The owner of obstoclades.tech has configured their website improperly. To
protect your information from being stolen, Firefox has not connected to
this website.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites



--------------------------------------------------------


In "Learn more ..."

the linked page is

https://support.mozilla.org/en-US/kb/error-codes-secure-websites?as=u&utm_source=inproduct
How to troubleshoot security error codes on secure websites


There are 2 knobs not copyable :

(1) Go back

(2) Advanced


When "Advanced" is clicked ( there is no linked page )  ,

the following message is displayed :




--------------------------------------------------------


obstoclades.tech uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is not valid for the name obstoclades.tech.

Error code: SEC_ERROR_UNKNOWN_ISSUER


--------------------------------------------------------



With a knob ( without any linked page ) as follows :


"Add Exception ..."


with an dialog pane display to add an exception for that page

( which I did not added because  website owner may correct her/his
certificate

or configuration of the website ) .


With my best wishes for all ,


Mehmet Erol Sanliturk