[nflug] Rootkits
Josh Johnson
joshj at linuxmail.org
Thu Nov 3 16:23:29 EST 2005
On Thu, 3 Nov 2005, Mark Musone wrote:
> Yes, but you need to keep in mind, a "login" is really _anything_ listening
> to a port. Sure, ssh,telnet..etc..are direct user logins, which is always
> the first thing to tighten down..
>
> but along that are things like mysql. it's listening in on a network port.
> if there is a remote exploit against mysql, they can theoretically (and
> practically) run something on the local machine as that mysql user. What
> will they run, why they'll run a little network daemon that gives them a
> shell..that shell will of course be run as that user. so the general flow
> would be this:
>
> 1. mysql exploit allows remote attacket to run arbitrary code as mysql user.
> 2. arbitrary code is a simple shell listening in on a port as myslq user.
> 3. remote attacker remotely connects to mysql network shell
> 4. remote attacker, now "logged in" as "mysql" runs local exploit to elevate
> privileges.
> 5. got root...time to play.
>
>
> Another example is a reverse shell, which php (specifically some php
> bulletin boards and CMS software) is plaqued by.
>
> 1. remote user goes to web page and submits specially crafted form data
> 2. php runs code, creates a shell and then ssh's TO the attackers machine
> (this gets around essentially ANY incoming firewall rules)
> 3. remote attacker now has a reverse shell into the machine as user "php",
> "nobody", "apache"..etc..
> 4. local exploit to elevate privileges.
> 5. got Rewt??
>
>
>
> So it's EXTREMELY important to be checking EVERY network service, not just
> traditional remote shell services.
>
> -Mark
>
Well, I understand the theory to breaking into a system. But
in
reality is it so easy? I've tried to (maliciously) become root on my
computer countless times without success. Not that I'm an 31337 h4x0rz,
but I figure I'd have the upper hand since I have the advantage of knowing
my way around my system already.
-JoshJ
>
>
>
>
> -----Original Message-----
> From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
> Eric Benoit
> Sent: Thursday, November 03, 2005 2:31 PM
> To: nflug at nflug.org
> Subject: Re: [nflug] Another reason to not use M$ products...
>
> What if I did not allow any user to have a shell login (or false
> login)...would this help prevent the first which you described?
>
>
> Mark Musone wrote:
>
>> No, this is not true at all..
>>
>> Any remote exploit could allow a non-root user to access a Linux box. From
>> there, a local exploit can be done, raising a users level to root..This is
>> actually a standard mechanism.
>>
>> Although someone can gain direct root access by either a remote exploit in
>> which the daemon runs as root, or a local exploit being done _as_ root, it
>> is most commonly accomplished using the two-step process as described
> above.
>>
>>
>> -Mark
>>
>>
>>
>> -----Original Message-----
>> From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
>> Eric Benoit
>> Sent: Thursday, November 03, 2005 12:37 PM
>> To: nflug at nflug.org
>> Subject: Re: [nflug] Another reason to not use M$ products...
>>
>> So, you can only get root kits if you are logged in as root or someone
>> gains access to root, speaking of Linux not MS?
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>
>>
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug
More information about the nflug
mailing list