D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] budget cuts

 

On 21/10/10 18:45, Paul Sutton wrote:
> 
> Is there, if there is I don't know how to get root other than by logging
> in or using su sudo etc

The typical method is get shell access as the owner of the Ãpache
process which can be done if you can write "PHP" files, or any of a host
of problems with third party web application code. On well secured
systems a shell owned by the Apache users gives you fairly limited
access, typically you can mess up dynamic website (or sites). One then
checks the kernel version, downloads someone else's exploit code, runs
it, and the "#" prompt appears.

Now they can install kernel modules that hide all the nasty code they
want to run from the system admin. I've seen boxes like this, they
change "ps" so you can't see the bad processes running, they change
"lsmod" so you can't see the bad kernel module installed etc. Like a
virus infested Windows box the only meaningful option at that point is
reinstall from trusted media.

The exploit code varies, but a number of similar types of exploit crop
up again and again. Weaknesses in Setuid executables (the current
exploit is a generic form of this), kernel bugs - often race conditions,
exploiting symlinks to cause processes to inadvertently overwrite files.

The issue is not what you know, but what the bad guys know, versus the
holes that are left. Having seen how the bad guys work, I'm definitely
in the pro-active patching school. I don't want to leave code with known
weaknesses on my system (especially things like setuid executables),
because I know it will be used (if it can be) to escalate privileges if
and when the machine is compromised.

GNU/Linux may be more secure than many common MS Windows operating
systems, but the typical configurations most people run are not
especially secure.

The main reason I think is that the security expertise to make boxes
more secure is not widespread (I have a lot of system admin experience,
but limited knowledge of SELinux for example), and that there is a long
legacy of very bad practices (see Theo de Raadt on the X architecture)
which are not trivial to fix.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq