Pastie, Linode, and Security
28 Sep 2013Sorry for the long, long delay in posting - lot of other things on my mind lately.
The Summary
Sorry this is going to be a long one. If you're in a hurry: It's no big secret that Pastie is hosted at Linode, but from the information I have so far I have no reason to believe anyone has enjoyed root (or even non-root) access to Pastie servers other than myself - despite claims by HTP to the contrary.
The Details
Recently a few people have hit @pastieorg up on twitter about the recent Linode security incident and how it relates to pastie's own security. Here is what HTP claims in their latest zine:
Meanwhile, we enjoyed our (root) access to Nmap, Nagios, SQLite, OSTicket, Phusion Passenger (modrails), Mono Project, Prey Project, Pastie, Sucuri, Hak5, Pwnie Express, Puppet, and oauth
It's no big secret that Pastie is hosted at Linode, but from the information I have so far I have no reason to believe anyone has enjoyed root (or even non-root) access to Pastie other than myself. Lets break down the incident as I understand it.
The Linode customer database
Linode's customer database was compromised... so the bad guys do know where I (used to) live. They also would have had access to my password salt and hash for Linode Manager (though critically not the password itself). Linode forced a system-wide reset of passwords after the attack to deal with this critical area of vulnerability.
Without actually logging into the Linode Manager to swap disk images or do a root password reset I'm not sure how they would have rooted pastie solely via a compromise of the customer database. Nothing Linode has said indicates HTP had direct access to Linode Manager and I see no indication of such activity in the logs.
There is some disagreement on whether they had access to credit card information... but that is outside the scope of this discussion.
The LISH console
Linode has acknowledged that "There were occurrences of Lish passwords in clear text in our database." I'm not sure why there would be "occurrences" vs all or none... maybe they are hinting at the fact that not every server even has (or needs) a LISH password. LISH passwords are set manually by users who want them... otherwise it's LISH via SSH only.
I'm not sure it's possible to check now (after the fact) but I'm fairly confident I've never used LISH passwords for Pastie boxes - instead preferring the much improved security of SSH keys. Lets assume they did gain access to LISH though, just for giggles.
LISH allows you to do cool server management stuff such as turning off your linode, rebooting, viewing boot configs, viewing authorized public keys with access to LISH, etc... while randomly booting or power cycling servers could indeed be a terrible attack, that's not "root access".
LISH - The console logs and "local" access to a login prompt
LISH's viewlog command dumps the last 250 console lines from the previous boot and last 100 lines from the current boot. I don't see anything super interesting in the logs myself, but I have no doubt there could be useful info there for something trying to hack a box. But alas, 350 lines of console logs does not "root access" make.
Of course LISH gives you access to the server console itself and therefore the ability to login "locally". At this point you either need a hilariously bad vulnerability in login itself or credentials for a local account. Almost all the local accounts for pastie boxes are locked (no login via password) to begin with - again my preference being to use SSH wherever possible.
As a side note I checked the console logs for all Pastie boxes and they are all very much boringly empty (no attempted malicious local login attempts or anything else out of the ordinary).
In Conclusion
When HTP says "root access" they must mean something entirely different than what I think of when I think of "root" access to a box. Their claim also goes against everything Linode has said publicly about the incident. If every single hosted VPS were compromised at the root level that would be a much, much different scenario than what actually happened.