[nflug] root kits II

Eric Benoit ebenoit at hopevale.com
Fri Nov 4 09:21:05 EST 2005 

I am truly fascinated and need to know more, I can read stuff like this 
for hours, any suggestions?

Mark Musone wrote:

>Yes, but you need to keep in mind, a "login" is really _anything_ listening
>to a port. Sure, ssh,telnet..etc..are direct user logins, which is always
>the first thing to tighten down..
>
>but along that are things like mysql. it's listening in on a network port.
>if there is a remote exploit against mysql, they can theoretically (and
>practically) run something on the local machine as that mysql user. What
>will they run, why they'll run a little network daemon that gives them a
>shell..that shell will of course be run as that user. so the general flow
>would be this:
>
>1. mysql exploit allows remote attacket to run arbitrary code as mysql user.
>2. arbitrary code is a simple shell listening in on a port as myslq user.
>3. remote attacker remotely connects to mysql network shell
>4. remote attacker, now "logged in" as "mysql" runs local exploit to elevate
>privileges.
>5. got root...time to play.
>
>
>Another example is a reverse shell, which php (specifically some php
>bulletin boards and CMS software) is plaqued by.
>
>1. remote user goes to web page and submits specially crafted form data
>2. php runs code, creates a shell and then ssh's TO the attackers machine
>(this gets around essentially ANY incoming firewall rules)
>3. remote attacker now has a reverse shell into the machine as user "php",
>"nobody", "apache"..etc..
>4. local exploit to elevate privileges.
>5. got Rewt??
>
>
>
>So it's EXTREMELY important to be checking EVERY network service, not just
>traditional remote shell services.
>
>-Mark
>
>
>
>
>
>-----Original Message-----
>From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
>Eric Benoit
>Sent: Thursday, November 03, 2005 2:31 PM
>To: nflug at nflug.org
>Subject: Re: [nflug] Another reason to not use M$ products...
>
>What if I did not allow any user to have a shell login (or false 
>login)...would this help prevent the first which you described?
>
>
>Mark Musone wrote:
>
>  
>
>>No, this is not true at all..
>>
>>Any remote exploit could allow a non-root user to access a Linux box. From
>>there, a local exploit can be done, raising a users level to root..This is
>>actually a standard mechanism. 
>>
>>Although someone can gain direct root access by either a remote exploit in
>>which the daemon runs as root, or a local exploit being done _as_ root, it
>>is most commonly accomplished using the two-step process as described
>>    
>>
>above.
>  
>
>>-Mark
>>
>>
>>
>>-----Original Message-----
>>From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
>>Eric Benoit
>>Sent: Thursday, November 03, 2005 12:37 PM
>>To: nflug at nflug.org
>>Subject: Re: [nflug] Another reason to not use M$ products...
>>
>>So, you can only get root kits if you are logged in as root or someone 
>>gains access to root, speaking of Linux not MS?
>>_______________________________________________
>>nflug mailing list
>>nflug at nflug.org
>>http://www.nflug.org/mailman/listinfo/nflug
>>
>>_______________________________________________
>>nflug mailing list
>>nflug at nflug.org
>>http://www.nflug.org/mailman/listinfo/nflug
>> 
>>
>>    
>>
>
>_______________________________________________
>nflug mailing list
>nflug at nflug.org
>http://www.nflug.org/mailman/listinfo/nflug
>
>_______________________________________________
>nflug mailing list
>nflug at nflug.org
>http://www.nflug.org/mailman/listinfo/nflug
>  
>

_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list