--On Tuesday, January 29, 2008 08:39:04 +0000 Graeme Fowler
<G.E.Fowler (at) lboro.ac (dot) uk [email concealed]> wrote:
>
> Once an unknown remote user is on your system, the glib comment I made
> was "all bets are off - they're not root yet". I don't know what setuid
> root scripts exist on the system in question, nor what other mods may
> have been made which expose privilege escalation issues. I'm pointing
> out what I believe could be a (the) likely attack vector, from
> experience.
>
> It could equally well be something else, but before we all run around
> shouting that "the sky is falling" we should probably examine what we
> do, or can, know first.
>
Just to buttress what Graeme is saying, the problem is two-fold. You not only
have an unwanted visitor in your system, but you also have an unwanted visitor
on your *network*. So you have two risks - the visitor can find a local
privilege escalation that works and the visitor can discover all your assets
and find weaknesses in any of them to exploit.
It's been my experience that local privilege escalation is often thought of as
less dangerous than remote privilege escalation. The only difference between
the two is from where the attacker has to start. Once he's in, as Graeme says,
all bets are off. It's purely a matter of time before something gets
exploited, even if it's only password sniffing that leads to root. All it
takes is for one person to type their password on the cli (e.g. mysql -u root
-p foo), and the password is sitting in plain text in the logfiles.
--
Paul Schmehl (pauls (at) utdallas (dot) edu [email concealed])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
<G.E.Fowler (at) lboro.ac (dot) uk [email concealed]> wrote:
>
> Once an unknown remote user is on your system, the glib comment I made
> was "all bets are off - they're not root yet". I don't know what setuid
> root scripts exist on the system in question, nor what other mods may
> have been made which expose privilege escalation issues. I'm pointing
> out what I believe could be a (the) likely attack vector, from
> experience.
>
> It could equally well be something else, but before we all run around
> shouting that "the sky is falling" we should probably examine what we
> do, or can, know first.
>
Just to buttress what Graeme is saying, the problem is two-fold. You not only
have an unwanted visitor in your system, but you also have an unwanted visitor
on your *network*. So you have two risks - the visitor can find a local
privilege escalation that works and the visitor can discover all your assets
and find weaknesses in any of them to exploit.
It's been my experience that local privilege escalation is often thought of as
less dangerous than remote privilege escalation. The only difference between
the two is from where the attacker has to start. Once he's in, as Graeme says,
all bets are off. It's purely a matter of time before something gets
exploited, even if it's only password sniffing that leads to root. All it
takes is for one person to type their password on the cli (e.g. mysql -u root
-p foo), and the password is sitting in plain text in the logfiles.
--
Paul Schmehl (pauls (at) utdallas (dot) edu [email concealed])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
[ reply ]