[mdlug] Linux root exploit

Joseph C. Bender jcbender at bendorius.com
Mon Feb 11 08:50:37 EST 2008 

Clinton V. Weiss wrote:

> I fully agree that this vulnerability is a big deal.  But the exploiter has
> to do a couple of things first:
> 
> 1) Circumvent physical security measures and have local access to your
> machine, and be able to log in to the machine.
> 2) Circumvent network security measures and be able to log into your machine
> remotely.
> 
	There's also a #3 here (and more, but the coffee hasn't kicked in yet, 
and they're variations anyway).  This is in the form of a vulnerable 
public applications vector, which can and should be labeled as a 
distinct category from #2, in that network security measures at the 
layer 2 and layer 3 level won't do anything to protect.

	A good example is a public facing webserver that *might* be pretty well 
locked down, running as a non-priv'd user.  It does, however, have one 
little vulnerable script or executable that allows for the execution of 
code as the local user, which, in and of itself might be a trival 
exploit with very few actual issues, but combine it with a privilege 
escalation local exploit, get that code to run from that vulnerable 
script, and hey presto, that little issue just got really nasty.

	There's a couple of other nasty variations on this theme, including 
tricking a legit user to execute the "local" exploit code via an email 
attachment, URL, or some other "legitimate" vector(the MS ILOVEYOU virus 
is a good example of this).

	I'm not obviously sure what you mean by "network security measures" for 
#2, but a lot of people treat that as "firewall/NAT/layer-2/layer-3". 
To address everything through layer 7, a good IDS/IPS solution can and 
should be integrated internally and externally on the network and the 
attack signature updates done on a consistent and frequent basis, with 
updates monitored for what they're now checking for.

	For those reasons and a bunch of others, I really hate when a exploit 
gets classified as "local" vs. "remote" and the local attack isn't 
always seen as seriously as the remote exploit (I'm NOT saying however, 
that you're thinking this or seeing it that way).  Attack vector 
analysis is complex enough on any network with more than a few devices 
and operating systems on it that you can't always see how code might end 
up getting executed locally on a box.



-- 
Joseph Bender
Bendorius Consulting
P: 248-434-5580
F: 248-434-5581
jcbender at bendorius com

More information about the mdlug mailing list