lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <442A5B50.9080806@securax.org>
Date: Wed, 29 Mar 2006 13:02:56 +0300
From: Javor Ninov <drfrancky@...urax.org>
To: "Steven M. Christey" <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Sudo tricks

If we have access to another user ~/ why installing root kit and not use
some trivial attack ? like path attack as example or clean exec ?
installing a root kit on monitored system will yell alarms. as i
previously said if we have access to another user ~/ we have full access
to all privileges that this user have.
the main issue here is how we get access to the user ~/

about the local virus ..
in the example given by the author we compromise the user A which have
sudo to root
if we have knowledge of the target system we can easily make automated
program that compromises other users accounts but .. /there is always
but/ in order to compromise other users we will need bigger privs than
the user that we attack or some system wide exploit /which is sort of
bigger privs/. then if we have those privs why bothering writing a
automated program and not compromise them at once ?

the only scenario that this is useful is if we have a user A which can
execute commands in the context of a user B which can execute commands
in context of root
in that case if we have a way to compromise user A's ~/ then we can make
some automated program that gathers information ,even have some
predefined logic about handling some commands enabled in /etc/sudoers,
 and then exploit it. but thats a very rare case.

p.s.
sudo to root without pass ... c'mon you have to be kidding me, right ?

Javor Ninov aka DrFrancky
drfrancky[shift + 2]securax.org
securitydot.net


Steven M. Christey wrote:
>> So, in other words, all you need in order to get root access is a
>> rootkit, your shell script, and root access? Ummm... I don't get it.
> 
> I was also confused by this.  However, one guess is that by
> compromising an unprivileged account and creating command aliases to
> run trojaned su and sudo programs, the attacker can hopefully gain
> access to another account, then another, etc.  By using these sudo
> "privilege chains" the attacker might eventually obtain root access.
> 
> This attack would be slightly virus-like in behavior, although local
> to the system.  And it might accomplish less, and more slowly, than if
> the attacker used some other means to determine the explicit su/sudo
> relationships and exploit them directly (e.g. sudo -l to list allowed
> commands?)  And this attack sounds like it's entirely dependent on
> whether or not such a chain even exists on the system.  Insert
> standard text about the likelihood of easier attack vectors here.
> 
> Just a guess, though.  Interesting notion of a local-only "virus" to
> compromise users on a multi-user system, although it seems like just
> another way to exploit trust relationships once you've gained access
> to a local account.
> 
> - Steve


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ