User: Password:
Subscribe / Log in / New account


Deliberately insecure Linux distributions as practice targets

April 6, 2011

This article was contributed by Koen Vervloesem

There are a lot of penetration testing (aka pentest) tools, but they are not always easy to learn, so you need practice — a lot of practice. Before using these tools on a live environment, you need to set up a test environment, install some services with vulnerabilities, and then try to break into it. Fortunately, pentesters don't have to do all this preparation themselves, as this is a niche where a couple of Linux distributions can be found. We'll take a look at a few of these deliberately insecure Linux distributions, which can be run on an isolated network or in a virtual machine to be targeted with your pentesting tools or exploits. On the attacker's side, you could use a distribution like BackTrack or a pentesting tool like the Metasploit Framework.

Damn Vulnerable Linux and Metasploitable

Probably the most well-known vulnerable Linux distribution is Damn Vulnerable Linux, but at this moment the website has the message "We are working. DVL 2.0 might appear in summer 2011" and there doesn't seem to be a way to download the most recent release, 1.5 (which dates from January 2009), so your author couldn't review DVL. The idea, however, is simple: DVL is shipped as a distribution that is as vulnerable as possible, for learning and research purposes for security pentesters and students. DVL was built by Thorsten Schneider, a security researcher at Bielefeld University in Germany, as a training system that he could use for his university lectures, to teach topics like buffer overflows, SQL injection, and so on.

Another well-known vulnerable Linux distribution is Metasploitable, an Ubuntu 8.04 server install on a VMWare image. This install includes a number of vulnerable packages, such as a Tomcat 5.5 servlet container with weak credentials, ssh and telnet accounts with weak passwords, along with outdated versions of distcc, tikiwiki, twiki, and MySQL. Metasploitable is meant as a practice target for the Metasploit Framework, but of course you can also use it to test other pentesting tools. Moreover, the virtual disk is non-persistent, so all damage you do to the system while pentesting disappears after a reboot. Metasploitable can easily be installed in VirtualBox: just add the vmdk file as a new virtual hard disk to VirtualBox and create a new Linux VM with this hard disk as the boot disk. Just don't forget to enable IO APIC in the virtual machine.


An especially interesting vulnerable machine (or rather, a set of virtual machines) is LAMPSecurity. There is a CentOS based virtual machine that can be used as the attacker's operating system because it becomes preloaded with many attack tools, and another CentOS based virtual machine as the target, named Capture The Flag. Unfortunately, your author couldn't get these images, distributed as VMware images, to boot on VirtualBox. However, the Capture The Flag image comes with a tutorial PDF that demonstrates how to chain together a series of vulnerabilities to be able to completely compromise the target system. The document describes one possible path to get root, but of course there are other ways to compromise the target, so after reading the document, users can surely apply what they have learned to further explore the target.

The tutorial begins with scanning the target with the vulnerability scanner Nikto, which is specialized in testing web servers for interesting files and directories (e.g. a public /phpmyadmin) and vulnerable web server software. It also identifies the version numbers of Apache and PHP, which are useful to search for vulnerabilities that apply. Then the tutorial shows how to use Paros as a web proxy in the browser, so the pentester can intercept requests to the target: all requests and responses are registered and can be investigated in the Paros program to look for vulnerabilities in a web application.

In the next step of the tutorial, the user is guided to identify an SQL injection vulnerability in the target's web site. This section is a particularly interesting introduction to SQL injections, with a step-by-step explanation spelled out in detail, including how to get access to system files. In the last step, the tutorial builds upon this SQL injection with a local privilege escalation to get an interactive root shell for the attacker.

De-ICE PenTest

The most comprehensive vulnerable distribution project is definitely the De-ICE PenTest Lab, the brainchild of penetration tester Thomas Wilhelm. When he had to learn as much about penetration testing as possible in a short time, he found no usable targets to practice on, so he created his own live CDs: two "Level 1" ISO images and one "Level 2" image. On the attacker's side, Wilhelm recommends BackTrack. Unfortunately, the target machines have an hardcoded IP address, which can conflict with your own network's address range.

Each of the ISO images is meant to be used in a specific real-world scenario: for the first Level 1 image, you are hired by a small company to pentest an old server that has a web-based list of the company's contact information. The scenario for the second Level 1 image is a little tougher: the target system is an FTP server that has been used in the past to maintain customer information but has been sanitized, and you have to show that you can get sensitive information out of the server. In the Level 2 scenario, you should identify any vulnerabilities you can find, and you get the permission to cause damage.

De-ICE PenTest also has a forum, where users can discuss the challenges for the three ISO images and get some help (warning: there are spoilers in the forum). On the wiki, there are also some video walkthroughs. Of course these contain major spoilers, so you probably want to wait for them until you have completed the challenges.

Other projects

There are a lot of other projects. The Virtual Hacking Lab has the same approach as LAMPSecurity: it distributes an ISO image to run on the attacker's side (the security-focused Gentoo derivative live CD Pentoo), and offers some vulnerable images to run as the target machines. For instance, a directory lists quite a few vulnerable distributions. Unfortunately, the project doesn't come with comprehensive documentation.

The OWASP Broken Web Applications Project is, like its name says, focused on vulnerable web applications. OWASP is the Open Web Application Security Project, a community that works to create freely available documentation, methodologies, and tools concerning web application security. The OWASP Broken Web Applications Project is distributed as a virtual machine in a VMware image. It's running outdated, vulnerable versions of some real-life web applications, such as phpBB and WordPress, but also some intentionally vulnerable applications created by OWASP and other projects.

Holynix is an Ubuntu Server install on a VMware image, which also runs on VirtualBox or Qemu. According to the README, the image requires a specific network configuration with a static IP address, which is cumbersome if the required network mask conflicts with your own network. Your author downloaded version 2 and ran it in VirtualBox. The project has a forum with help, including instructions about importing the distribution's image in VMware or VirtualBox. Just don't forget to enable PAE/NX and IO APIC in the virtual machine, or it won't boot.


If you start digging, you'll easily find a dozen vulnerable Linux distributions that you can use to practice on. However, none of these distributions really stands out from the crowd. Many of them are already old —although that's not bad in this case, as it improves the chance of finding vulnerabilities. An somewhat more painful issue is that many of these distributions require a specific network configuration, which is a barrier to quickly test them in an arbitrary network. Along the same line, many of these projects are distributed as VMware images, which are not always easy to run in other hypervisors. Documentation is also an issue with many of these projects: while one could say that good pentesters will always have to be able to find their way on a foreign system, a little guidance could make these vulnerable distributions a more efficient tool for testing these tools and techniques. However, one thing is sure: pentesters that jump through all these hoops will be able to practice their techniques on a lot of different test targets.

Comments (3 posted)

Brief items

X.Org security advisory: root hole via rogue hostname

X.Org has patched a root hole in xrdb, in all versions up to 1.0.8. "By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb." Hosts that set their hostname via DHCP and/or hosts that allow remote logins via xdmcp are affected. The issue has been fixed in xrdb 1.0.9.

Full Story (comments: 16)

Laurie: Improving SSL certificate security

On Google's security blog, Ben Laurie looks at some Google initiatives to improve SSL certificate security. One is a certificate catalog that Google gathers as it spiders the internet, which can be queried via DNS (see the post for details). "The second initiative to discuss is the DANE Working Group at the IETF. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn't consistent with the DANE records, it should be treated with suspicion."

Comments (63 posted)

Linux security summit CFP open

On his blog, James Morris has announced that the call for presentations for the 2011 Linux Security Summit is now open. Proposals will be accepted until May 27, and the summit will be held on September 8 in Santa Rosa, CA in conjunction with the Linux Plumbers Conference. From the summit site: "Brief technical talks in 30 minute slots, including at least 10 minutes of discussion (i.e. the maximum length of the presentation alone is 20 minutes). Papers are encouraged, and slides should be minimal. [...] Presentation abstracts should be approximately 150 words in length."

Comments (none posted)

New vulnerabilities

asterisk: multiple vulnerabilities

Package(s):asterisk CVE #(s):CVE-2011-1174 CVE-2011-1175
Created:March 31, 2011 Updated:April 27, 2011

From the Red Hat Bugzilla [1, 2]:

CVE-2011-1174: If manger connections were rapily opened, sent invalid data, then closed, it could cause Asterisk to exhaust available CPU and memory resources. The Manager Interface is disabled by default. Versions 1.6.2.x and 1.8.x are affected, and and have been released to correct this flaw.

CVE-2011-1175: If a remote, unauthenticated, attacker were to rapidly open and close TCP connections to services using the ast_tcptls_* API, they could cause Asterisk to crash after dereferencing a NULL pointer. This flaw affects 1.6.2.x and 1.8.x, and is corrected in and

Gentoo 201110-21 asterisk 2011-10-24
Fedora FEDORA-2011-3942 asterisk 2011-03-23
Fedora FEDORA-2011-3945 asterisk 2011-03-23
Debian DSA-2225-1 asterisk 2011-04-25

Comments (1 posted)

cobbler: privilege escalation

Package(s):cobbler CVE #(s):CVE-2011-1551
Created:April 1, 2011 Updated:April 6, 2011
Description: From the openSUSE advisory:

/var/log/cobbler/ directory was owned by the web service user. Access to this account could potentially be abused to corrupt files during root filesystem operations by the Cobbler daemon.

SUSE SUSE-SR:2011:006 apache2-mod_php5/php5, cobbler, evince, gdm, kdelibs4, otrs, quagga 2011-04-05
openSUSE openSUSE-SU-2011:0277-1 cobbler 2011-04-01

Comments (none posted)

evince: buffer overflow

Package(s):evince CVE #(s):CVE-2011-0433
Created:April 1, 2011 Updated:January 30, 2012
Description: From the openSUSE advisory:

This update of evince fixes a buffer overflow in linetoken().

Mandriva MDVSA-2012:144 tetex 2012-08-28
Scientific Linux SL-tete-20120823 tetex 2012-08-23
Oracle ELSA-2012-1201 tetex 2012-08-23
CentOS CESA-2012:1201 tetex 2012-08-23
Red Hat RHSA-2012:1201-01 tetex 2012-08-23
openSUSE openSUSE-SU-2012:0559-1 t1lib 2012-04-25
Oracle ELSA-2012-0137 texlive 2012-02-15
CentOS CESA-2012:0137 texlive 2012-02-16
Scientific Linux SL-texl-20120215 texlive 2012-02-15
Red Hat RHSA-2012:0137-01 texlive 2012-02-15
CentOS CESA-2012:0062 t1lib 2012-01-30
Fedora FEDORA-2012-0266 t1lib 2012-01-28
Fedora FEDORA-2012-0289 t1lib 2012-01-28
Ubuntu USN-1347-1 evince 2012-01-25
Scientific Linux SL-t1li-20120125 t1lib 2012-01-25
Red Hat RHSA-2012:0062-01 t1lib 2012-01-24
Oracle ELSA-2012-0062 t1lib 2012-01-25
Ubuntu USN-1335-1 t1lib 2012-01-19
Debian DSA-2388-1 t1lib 2012-01-14
Mandriva MDVSA-2012:004 t1lib 2012-01-12
SUSE SUSE-SR:2011:006 apache2-mod_php5/php5, cobbler, evince, gdm, kdelibs4, otrs, quagga 2011-04-05
openSUSE openSUSE-SU-2011:0279-1 evince 2011-04-01
Gentoo 201701-57 t1lib 2017-01-24

Comments (none posted)

ffmpeg: denial of service

Package(s):ffmpeg CVE #(s):CVE-2009-4639
Created:April 4, 2011 Updated:July 18, 2011
Description: From the Mandriva advisory:

The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error.

Gentoo 201310-12 ffmpeg 2013-10-25
Mandriva MDVSA-2011:112 blender 2011-07-18
Mandriva MDVSA-2011:061 ffmpeg 2011-04-01
Mandriva MDVSA-2011:060 ffmpeg 2011-04-01
Mandriva MDVSA-2011:059 ffmpeg 2011-04-01
Mandriva MDVSA-2011:088 mplayer 2011-05-16

Comments (none posted)

ffmpeg: multiple vulnerabilities

Package(s):ffmpeg CVE #(s):CVE-2010-3908 CVE-2011-0480 CVE-2011-0722 CVE-2011-0723
Created:April 4, 2011 Updated:September 12, 2011
Description: From the Mandriva advisory:

Fix memory corruption in WMV parsing (CVE-2010-3908)

Multiple buffer overflows in vorbis_dec.c in the Vorbis decoder in FFmpeg, as used in Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted WebM file, related to buffers for (1) the channel floor and (2) the channel residue. (CVE-2011-0480)

Fix heap corruption crashes (CVE-2011-0722)

Fix invalid reads in VC-1 decoding (CVE-2011-0723)

Gentoo 201310-12 ffmpeg 2013-10-25
Debian DSA-2306-1 ffmpeg 2011-09-11
Mandriva MDVSA-2011:114 blender 2011-07-18
Mandriva MDVSA-2011:112 blender 2011-07-18
Ubuntu USN-1104-1 ffmpeg 2011-04-04
Mandriva MDVSA-2011:062 ffmpeg 2011-04-01
Mandriva MDVSA-2011:061 ffmpeg 2011-04-01
Mandriva MDVSA-2011:089 mplayer 2011-05-16

Comments (none posted)

glibc: multiple vulnerabilities

Package(s):glibc CVE #(s):CVE-2011-0536 CVE-2011-1071 CVE-2011-1095
Created:April 5, 2011 Updated:November 28, 2011
Description: From the Red Hat advisory:

The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536)

It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071)

It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker's, it could execute arbitrary code with the privileges of the script. (CVE-2011-1095)

Gentoo 201312-01 glibc 2013-12-02
Ubuntu USN-1396-1 eglibc, glibc 2012-03-09
Scientific Linux SL-glib-20120214 glibc 2012-02-14
Oracle ELSA-2012-0125 glibc 2012-02-14
CentOS CESA-2012:0125 glibc 2012-02-14
Red Hat RHSA-2012:0125-01 glibc 2012-02-13
Mandriva MDVSA-2011:178 glibc 2011-11-25
Pardus 2011-83 glibc 2011-06-03
CentOS CESA-2011:0412 glibc 2011-04-14
Red Hat RHSA-2011:0413-01 glibc 2011-04-04
Red Hat RHSA-2011:0412-01 glibc 2011-04-04

Comments (none posted)

kdelibs4: man-in-the-middle attack

Package(s):kdelibs4 CVE #(s):CVE-2011-1094
Created:April 4, 2011 Updated:June 21, 2011
Description: From the CVE entry:

kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.

Gentoo 201406-34 kdelibs 2014-06-30
Pardus 2011-81 dovecot 2011-06-03
Pardus 2011-79 kdelibs 2011-05-11
Ubuntu USN-1110-1 kde4libs 2011-04-14
Mandriva MDVSA-2011:071 kdelibs4 2011-04-08
SUSE SUSE-SR:2011:006 apache2-mod_php5/php5, cobbler, evince, gdm, kdelibs4, otrs, quagga 2011-04-05
Ubuntu USN-1101-1 qt4-x11 2011-04-01
openSUSE openSUSE-SU-2011:0281-1 kdelibs4 2011-04-04
openSUSE openSUSE-SU-2011:0280-1 kdelibs4 2011-04-04
Red Hat RHSA-2011:0464-01 kdelibs 2011-04-21

Comments (none posted)

loggerhead: cross-site scripting

Package(s):loggerhead CVE #(s):CVE-2011-0728
Created:April 4, 2011 Updated:April 6, 2011
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view.

Fedora FEDORA-2011-4107 loggerhead 2011-03-25
Fedora FEDORA-2011-4085 loggerhead 2011-03-25

Comments (none posted)

logrotate: multiple vulnerabilities

Package(s):logrotate CVE #(s):CVE-2011-1098 CVE-2011-1154 CVE-2011-1155
Created:March 31, 2011 Updated:June 26, 2012

From the Red Hat advisory:

A shell command injection flaw was found in the way logrotate handled the shred directive. A specially-crafted log file could cause logrotate to execute arbitrary commands with the privileges of the user running logrotate (root, by default). Note: The shred directive is not enabled by default. (CVE-2011-1154)

A race condition flaw was found in the way logrotate applied permissions when creating new log files. In some specific configurations, a local attacker could use this flaw to open new log files before logrotate applies the final permissions, possibly leading to the disclosure of sensitive information. (CVE-2011-1098)

An input sanitization flaw was found in logrotate. A log file with a specially-crafted file name could cause logrotate to abort when attempting to process that file a subsequent time. (CVE-2011-1155)

Gentoo 201206-36 logrotate 2012-06-25
Ubuntu USN-1172-1 logrotate 2011-07-21
Pardus 2011-85 logrotate 2011-06-21
SUSE SUSE-SR:2011:010 postfix, libthunarx-2-0, rdesktop, python, viewvc, kvm, exim, logrotate, dovecot12/dovecot20, pure-ftpd, kdelibs4 2011-05-31
openSUSE openSUSE-SU-2011:0536-1 logrotate 2011-05-25
Fedora FEDORA-2011-3739 logrotate 2011-03-21
Mandriva MDVSA-2011:065 logrotate 2011-04-05
Red Hat RHSA-2011:0407-01 logrotate 2011-03-31

Comments (none posted)

otrs: arbitrary command execution

Package(s):otrs CVE #(s):CVE-2011-0456
Created:April 1, 2011 Updated:April 6, 2011
Description: From the openSUSE advisory:

Insufficient quoting of shell meta characters in otrs' could allow remote attackers to execute arbitrary commands.

SUSE SUSE-SR:2011:006 apache2-mod_php5/php5, cobbler, evince, gdm, kdelibs4, otrs, quagga 2011-04-05
openSUSE openSUSE-SU-2011:0278-1 otrs 2011-04-01

Comments (none posted)

php-doctrine-Doctrine: SQL injection

Package(s):php-doctrine-Doctrine CVE #(s):CVE-2011-1522
Created:April 4, 2011 Updated:April 21, 2011
Description: From the Doctrine advisory:

The security hole was found and affects the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery() function which does not cast input values for limit and offset to integer and allows malicious SQL to be executed if these parameters are passed into Doctrine 2 directly from request variables without previous cast to integer. Functionality building on top using limit queries in the ORM such as Doctrine\ORM\Query::setFirstResult() and Doctrine\ORM\Query::setMaxResults() are also affected by this security hole.

Fedora FEDORA-2011-4098 php-doctrine-Doctrine 2011-03-25
Debian DSA-2223-1 doctrine 2011-04-20

Comments (none posted)

xmlsec1: remote overwrite of arbitrary files

Package(s):xmlsec1 CVE #(s):CVE-2011-1425
Created:April 4, 2011 Updated:May 5, 2011
Description: From the Mandriva advisory:

xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification.

Gentoo 201412-09 racer-bin, fmod, PEAR-Mail, lvm2, gnucash, xine-lib, lastfmplayer, webkit-gtk, shadow, PEAR-PEAR, unixODBC, resource-agents, mrouted, rsync, xmlsec, xrdb, vino, oprofile, syslog-ng, sflowtool, gdm, libsoup, ca-certificates, gitolite, qt-creator 2014-12-11
Debian DSA-2219-1 xmlsec1 2011-04-18
Mandriva MDVSA-2011:063 xmlsec1 2011-04-04
CentOS CESA-2011:0486 xmlsec1 2011-05-05
CentOS CESA-2011:0486 xmlsec1 2011-05-05
Red Hat RHSA-2011:0486-01 xmlsec1 2011-05-04
Pardus 2011-73 xmlsec 2011-05-03

Comments (none posted)

xorg-x11: arbitrary command execution as root

Package(s):xorg-x11 CVE #(s):CVE-2011-0465
Created:April 6, 2011 Updated:June 13, 2011
Description: From the X.Org advisory:

By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb.

These specially crafted hostnames can occur in two environments:

  • Hosts that set their hostname via DHCP
  • Hosts that allow remote logins via xdmcp
Gentoo 201412-09 racer-bin, fmod, PEAR-Mail, lvm2, gnucash, xine-lib, lastfmplayer, webkit-gtk, shadow, PEAR-PEAR, unixODBC, resource-agents, mrouted, rsync, xmlsec, xrdb, vino, oprofile, syslog-ng, sflowtool, gdm, libsoup, ca-certificates, gitolite, qt-creator 2014-12-11
Fedora FEDORA-2011-4879 xorg-x11-server-utils 2011-04-06
CentOS CESA-2011:0432 xorg-x11 2011-04-19
Fedora FEDORA-2011-4871 xorg-x11-server-utils 2011-04-06
CentOS CESA-2011:0433 xorg-x11-server-utils 2011-04-14
SUSE SUSE-SA:2011:016 xorg-x11 2011-04-13
Slackware SSA:2011-096-01 xrdb 2011-04-12
Red Hat RHSA-2011:0433-01 xorg-x11-server-utils 2011-04-11
Red Hat RHSA-2011:0432-01 xorg-x11 2011-04-11
Debian DSA-2213-1 x11-xserver-utils 2011-04-08
Ubuntu USN-1107-1 x11-xserver-utils 2011-04-06
openSUSE openSUSE-SU-2011:0298-1 xorg-x11 2011-04-06
Mandriva MDVSA-2011:076 xrdb 2011-04-21

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds