Re: MORE SSH Hacking: heads-up

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

funny to still see this thread running.

Your conversation of the su issue prompted me to look for an exploit.
Found this linux "su" exploit that copies the passwords to /tmp/.tmp

The only problem is you'd have to get it there first.

http://packetstormsecurity.nl/groups/shadowpenguin/unix-tools/passwd_linux.c


Has anyone used my iptables suggestion with success?





On Thu, 2004-08-12 at 14:36, netmask wrote:
> > You know where this thread is coming from, what the starting point was.
> > It is exactly that, that obviously too much Linux admins believe that
> > Linux is secure by architecture or what else. It is obvious from my
> > investigations too, that the hackers/crackers get access to vulnerable
> > Linux hosts as unprivileged users and then using local exploits to
> > become root. I know, many Linux admins think local root exploits are
> > much less severe than remote root exploits. This is wrong and we now see
> > to what it leads, unfortunately.
> 
> Remote root is certainly nice.. however these days it is a lot more common to 
> gain access remotely via a process with drop'd privs.. You then have to find a 
> local exploit to escalate privileges.
> 
> Sometimes we get lucky and exploits in PHP come out where the exploit is 
> handled before privs are dropped.. and you get root. Other times in apache 
> exploits, you end up as the 'nobody' user.
> 
> However, I treat local vulnerabilities as serious as remote. While it's 
> definitely the smart thing to do to put your processes in jails, and make sure 
> they aren't running as root.. It's just not possible to completely not run as 
> root while the stack requires root privs to bind ports under 1024, and a few 
> other reasons (device access, etc)..  Jails can be broken, etc.
> 
> The 'vulnerabilities' I don't worry about it.. are things like the 'info' 
> overflow that came out last week on Bugtraq. Is your 'info' binary suid root? 
> Do you give people 'sudo info' ?  No.. Do I really care if someone injects 
> shellcode into their instance of info and drop to their own privs? not really.
> 
> But when you are talking about vulns in su, sudo, etc.. anything that is suid 
> on the system (On my server that doesn't run any X.. there is only a need for 
> 4 suid bins total).
> 
> blah blah blah, security if a process..  blah blah, etc etc.
> 
> :P
>

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux