On Tue, Feb 03, 2004 at 09:34:47AM -0800, Rick Moen wrote:
> Don't just say "local root escalation".)
Why not? Local root escalation is relatively trivial, especially
if you assume a user capable of even trying to open an attachment
in such a manner. There need not be a local vulnerability either.
The easiest method is generally to alias commands like su to functional
equivelants which proxy the root password, store it somewhere useful
and abuse it later. Yes, many of these programs have safeguards such
as insisting input is a tty, but that's trivial to workaround - using
such complicated techniques as pretending the password they input
was mis-typed.
colmmacc at samhain:~$ su
Password:
su: Authentication failure
Sorry.
Unless I'm thinking about it, how do I know that that's /bin/su ?
How do I know it's not a silly little script which just saved my root
password and next I run it will juxt "exec /bin/su" ? Am I that
confident I hit all the right keys? Would I give it more than 2
seconds thought.
If you compromise a users account, and they have root, it won't
take long to get it - no matter how well maintained the system is.
Replace su with your other favourite root-getting utility, or
replace the attach with just monitoring their terminal, and so on.
--
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
