[nflug] root kits II

Frank Kumro fkumro at gmail.com
Fri Nov 4 10:24:14 EST 2005 

Im with eric this is very interesting.

On 11/4/05, Eric Benoit <ebenoit at hopevale.com> wrote:
> I am truly fascinated and need to know more, I can read stuff like this
> for hours, any suggestions?
>
> Mark Musone wrote:
>
> >Yes, but you need to keep in mind, a "login" is really _anything_ listening
> >to a port. Sure, ssh,telnet..etc..are direct user logins, which is always
> >the first thing to tighten down..
> >
> >but along that are things like mysql. it's listening in on a network port.
> >if there is a remote exploit against mysql, they can theoretically (and
> >practically) run something on the local machine as that mysql user. What
> >will they run, why they'll run a little network daemon that gives them a
> >shell..that shell will of course be run as that user. so the general flow
> >would be this:
> >
> >1. mysql exploit allows remote attacket to run arbitrary code as mysql user.
> >2. arbitrary code is a simple shell listening in on a port as myslq user.
> >3. remote attacker remotely connects to mysql network shell
> >4. remote attacker, now "logged in" as "mysql" runs local exploit to elevate
> >privileges.
> >5. got root...time to play.
> >
> >
> >Another example is a reverse shell, which php (specifically some php
> >bulletin boards and CMS software) is plaqued by.
> >
> >1. remote user goes to web page and submits specially crafted form data
> >2. php runs code, creates a shell and then ssh's TO the attackers machine
> >(this gets around essentially ANY incoming firewall rules)
> >3. remote attacker now has a reverse shell into the machine as user "php",
> >"nobody", "apache"..etc..
> >4. local exploit to elevate privileges.
> >5. got Rewt??
> >
> >
> >
> >So it's EXTREMELY important to be checking EVERY network service, not just
> >traditional remote shell services.
> >
> >-Mark
> >
> >
> >
> >
> >
> >-----Original Message-----
> >From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
> >Eric Benoit
> >Sent: Thursday, November 03, 2005 2:31 PM
> >To: nflug at nflug.org
> >Subject: Re: [nflug] Another reason to not use M$ products...
> >
> >What if I did not allow any user to have a shell login (or false
> >login)...would this help prevent the first which you described?
> >
> >
> >Mark Musone wrote:
> >
> >
> >
> >>No, this is not true at all..
> >>
> >>Any remote exploit could allow a non-root user to access a Linux box. From
> >>there, a local exploit can be done, raising a users level to root..This is
> >>actually a standard mechanism.
> >>
> >>Although someone can gain direct root access by either a remote exploit in
> >>which the daemon runs as root, or a local exploit being done _as_ root, it
> >>is most commonly accomplished using the two-step process as described
> >>
> >>
> >above.
> >
> >
> >>-Mark
> >>
> >>
> >>
> >>-----Original Message-----
> >>From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
> >>Eric Benoit
> >>Sent: Thursday, November 03, 2005 12:37 PM
> >>To: nflug at nflug.org
> >>Subject: Re: [nflug] Another reason to not use M$ products...
> >>
> >>So, you can only get root kits if you are logged in as root or someone
> >>gains access to root, speaking of Linux not MS?
> >>_______________________________________________
> >>nflug mailing list
> >>nflug at nflug.org
> >>http://www.nflug.org/mailman/listinfo/nflug
> >>
> >>_______________________________________________
> >>nflug mailing list
> >>nflug at nflug.org
> >>http://www.nflug.org/mailman/listinfo/nflug
> >>
> >>
> >>
> >>
> >
> >_______________________________________________
> >nflug mailing list
> >nflug at nflug.org
> >http://www.nflug.org/mailman/listinfo/nflug
> >
> >_______________________________________________
> >nflug mailing list
> >nflug at nflug.org
> >http://www.nflug.org/mailman/listinfo/nflug
> >
> >
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>


--
Frank
Shenanigans!!
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list