[nflug] Another reason to not use M$ products...

Mark Musone mmusone at shatterit.com
Thu Nov 3 15:51:52 EST 2005 

Yes, but you need to keep in mind, a "login" is really _anything_ listening
to a port. Sure, ssh,telnet..etc..are direct user logins, which is always
the first thing to tighten down..

but along that are things like mysql. it's listening in on a network port.
if there is a remote exploit against mysql, they can theoretically (and
practically) run something on the local machine as that mysql user. What
will they run, why they'll run a little network daemon that gives them a
shell..that shell will of course be run as that user. so the general flow
would be this:

1. mysql exploit allows remote attacket to run arbitrary code as mysql user.
2. arbitrary code is a simple shell listening in on a port as myslq user.
3. remote attacker remotely connects to mysql network shell
4. remote attacker, now "logged in" as "mysql" runs local exploit to elevate
privileges.
5. got root...time to play.


Another example is a reverse shell, which php (specifically some php
bulletin boards and CMS software) is plaqued by.

1. remote user goes to web page and submits specially crafted form data
2. php runs code, creates a shell and then ssh's TO the attackers machine
(this gets around essentially ANY incoming firewall rules)
3. remote attacker now has a reverse shell into the machine as user "php",
"nobody", "apache"..etc..
4. local exploit to elevate privileges.
5. got Rewt??



So it's EXTREMELY important to be checking EVERY network service, not just
traditional remote shell services.

-Mark





-----Original Message-----
From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
Eric Benoit
Sent: Thursday, November 03, 2005 2:31 PM
To: nflug at nflug.org
Subject: Re: [nflug] Another reason to not use M$ products...

What if I did not allow any user to have a shell login (or false 
login)...would this help prevent the first which you described?


Mark Musone wrote:

>No, this is not true at all..
>
>Any remote exploit could allow a non-root user to access a Linux box. From
>there, a local exploit can be done, raising a users level to root..This is
>actually a standard mechanism. 
>
>Although someone can gain direct root access by either a remote exploit in
>which the daemon runs as root, or a local exploit being done _as_ root, it
>is most commonly accomplished using the two-step process as described
above.
>
>
>-Mark
>
>
>
>-----Original Message-----
>From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
>Eric Benoit
>Sent: Thursday, November 03, 2005 12:37 PM
>To: nflug at nflug.org
>Subject: Re: [nflug] Another reason to not use M$ products...
>
>So, you can only get root kits if you are logged in as root or someone 
>gains access to root, speaking of Linux not MS?
>_______________________________________________
>nflug mailing list
>nflug at nflug.org
>http://www.nflug.org/mailman/listinfo/nflug
>
>_______________________________________________
>nflug mailing list
>nflug at nflug.org
>http://www.nflug.org/mailman/listinfo/nflug
>  
>

_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list