MORE SSH Hacking: heads-up
Dave Rinker
drinker at dsrtech.com
Thu Aug 12 23:59:23 UTC 2004
funny to still see this thread running.
Your conversation of the su issue prompted me to look for an exploit.
Found this linux "su" exploit that copies the passwords to /tmp/.tmp
The only problem is you'd have to get it there first.
http://packetstormsecurity.nl/groups/shadowpenguin/unix-tools/passwd_linux.c
Has anyone used my iptables suggestion with success?
On Thu, 2004-08-12 at 14:36, netmask wrote:
> > You know where this thread is coming from, what the starting point was.
> > It is exactly that, that obviously too much Linux admins believe that
> > Linux is secure by architecture or what else. It is obvious from my
> > investigations too, that the hackers/crackers get access to vulnerable
> > Linux hosts as unprivileged users and then using local exploits to
> > become root. I know, many Linux admins think local root exploits are
> > much less severe than remote root exploits. This is wrong and we now see
> > to what it leads, unfortunately.
>
> Remote root is certainly nice.. however these days it is a lot more common to
> gain access remotely via a process with drop'd privs.. You then have to find a
> local exploit to escalate privileges.
>
> Sometimes we get lucky and exploits in PHP come out where the exploit is
> handled before privs are dropped.. and you get root. Other times in apache
> exploits, you end up as the 'nobody' user.
>
> However, I treat local vulnerabilities as serious as remote. While it's
> definitely the smart thing to do to put your processes in jails, and make sure
> they aren't running as root.. It's just not possible to completely not run as
> root while the stack requires root privs to bind ports under 1024, and a few
> other reasons (device access, etc).. Jails can be broken, etc.
>
> The 'vulnerabilities' I don't worry about it.. are things like the 'info'
> overflow that came out last week on Bugtraq. Is your 'info' binary suid root?
> Do you give people 'sudo info' ? No.. Do I really care if someone injects
> shellcode into their instance of info and drop to their own privs? not really.
>
> But when you are talking about vulns in su, sudo, etc.. anything that is suid
> on the system (On my server that doesn't run any X.. there is only a need for
> 4 suid bins total).
>
> blah blah blah, security if a process.. blah blah, etc etc.
>
> :P
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040812/a3c4f495/attachment-0001.sig>
More information about the fedora-list
mailing list