LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Porting MyDoom to Linux

[ILUG] Porting MyDoom to Linux

Paul Jakma paul at clubi.ie
Wed Feb 4 01:46:21 GMT 2004 

On Wed, 4 Feb 2004, Colm MacCarthaigh wrote:

> With a privilege escalation attempt, there's the luxury of having
> root to hide the steps if the attack is successful.

indeed.

> I doubt it, there are simply too many avenues to consider.
> LD_PRELOAD is a nice one, unlikely to be caught by even the
> majority of this list I'd say. Unless you're looking for it, it's
> always easy *then* ;)

But you must have access to the session being used. If you remotely 
compromise the account, you surely can not set LD_PRELOAD in another 
session (we're back to the fanatical admin who disables 
CAP_SYS_PTRACE here).

> > If we go back to the common case (CAP_SYS_PTRACE available, user who
> > doesnt fanatically check their environment after login) what if the
> > system used some kind of smartcard authentication? Eg, a
> > challenge/response smartcard (see safeword.com for an example of one 
> > with PAM support).

> You can still get root, simply get an alias, hacked shell or
> whatever to add some arguments to su (or similar) and then fake an
> error condition. Though yes, it makes it much harder.

Ok, so the fanatical admin:

- sets his shell to /bin/sh (making sure /etc/profile exists and does
not source any user owned files. bash apparently doesnt read
~/.bashrc if invoked as sh)

- removes CAP_SYS_PTRACE from the permitted and inherited sets very 
early on in boot (ie in init or before init runs) 

(hmm... shame you cant allow just root to have this capability)

That should remove most avenues if we presume it is the account which 
is compromised (not a session).

Add some kind of smartcard authentication for all accounts,
/including/ root, and you're there (?). (indeed, you could probably
retain CAP_SYS_PTRACE if you never used the static password to
authenticate to root, except for direct root logins (boot to single
user / console)).

> Highly recommended though, we've been using SecureID's for
> everything for some time now, and it's absolutely brilliant. The
> mental savings of not having to remember as many passwords are
> worth it alone.

Problem is they're expensive. Havnt found yet that is supported by 
MIT krb5 either sadly. (havnt looked that hard though).

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam at dishone.st
Fortune:
There was a phone call for you.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell