[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0309241526250.24001@cia.zemos.net>
From: booger at unixclan.net (security snot)
Subject: OpenSSH again - not really.
Surely you must be joking? You're sounding sillier that Marty, when he
claimed that Sourcefire.com boxes couldn't have been compromised from his
shellbox, when people logged in to his corporate network from the
compromised server.
Do you honestly think privsep lets you get away with the "don't worry"
state of mind?
http://www.phrack.org/phrack/60/p60-0x06.txt
So, after reading that, how confident are you with mechanisms like
privsep? Is an "unprivilaged" jail'd/chroot'd environment really going to
let your box stay secure? Do you think that not having access to write to
the filesystem will prevent code from being run that will hand over
instant root access? If so you haven't seen COREST's patented
implementation of rpc/mosix, or really understand the idea that
"shellcode" isn't limited to simple tasks like executing a shell.
Which leads me to believe, you don't really know what you're talking
about.
So, what prevents that from happening? Please don't say systrace; you'll
only look like more of an idiot. So, maybe, do say systrace so the rest
of us can sit back and laugh at you. At least, those of us who are clued.
Also, even if something like systrace did work, how does that prevent
other types of lesser-known bugs from being abused to gain further access
to the system, such as various hardware flaws[1]?
They don't.
So, go ahead and tell people PUT THEIR FUCKING FAITH IN OPENBSD (AND
THEIR SUPERSECURESHELL) THE PROACTIVELY SECURE OPERATING SYSTEM WITH ONLY
FOUR REMOTE ROOT HOLES PUBLISHED IN ONE WEEK and to NOT WORRY BE HAPPY
PRIVSEP WILL SAVE YOU.
You're one of those people who won't update right away, because you think
you've got some magical window of time to do so, before unskilled
scriptkids figure out how to write an exploit for a publically disclosed
bug (general turnaround is a few days before the official release, since
they're all on the CERT and atstake lists - run by other geniuses such as
yourself).
Of course, you're also likely one that thinks patching is proactive
anyways, since you don't understand that vulnerabilities such as the
recent buffer mismanagment bug in OpenSSH have been abused widely in the
wild for nearly a year.
Then again, I'm sure privsep saved your life more than once. More likely
you're the kind of guy who got hacked because you had sadmind running on a
Solaris box somewhere, and didn't bother to read the manpage that
explained that you need to reconfigure it to a more secure setting to
avoid the issue recently brought back into light by iDefense.
- booger
[1] There has been research by multiple entities concerning the abuse of
hardware bugs and their ramifications in terms of host exploitation. Due
to my NDA, and my pledge to friends who have done similar research, I
cannot discuss any details concerning the matter, so just go ahead and
ignore me and claim that statement was some sort of trolling attempt.
-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------
On Tue, 23 Sep 2003, Kurt Seifried wrote:
> It looks possibly exploitable, but it needs privsep disabled. Many vendors
> now enable privsep by default (in my opinion if a vendor does not or can not
> enable privsep by default they have a misconfigured/broken OpenSSH package).
> The workaround is pretty trivial, make sure the following line occurs in
> your sshd config file:
>
> UsePrivilegeSeparation yes
>
> On recent Red Hat Linux versions and many others this is the default. You
> can check that privsep is working, log in via ssh and do a process listing,
> for each ssh connection you should see a pair of processes:
>
> root 32624 0.0 0.1 6752 1916 ? S 16:06 0:00
> /usr/sbin/sshd
> seifried 32626 0.0 0.2 6776 2156 ? R 16:06 0:00
> /usr/sbin/sshd
>
> or
>
> root 28354 0.0 0.1 372 1008 ?? Is 3:43PM 0:00.03 sshd:
> seifried [priv] (sshd)
> seifried 15019 0.0 0.1 416 912 ?? S 3:43PM 0:00.85 sshd:
> seifried@...p0 (sshd)
>
> As opposed to just one process running as root. Use privsep, be happy, don't
> worry.
>
> Kurt Seifried, kurt@...fried.org
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://seifried.org/security/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists