Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition

[Graeme Fowler <G.E.Fowler () lboro ac uk>]

On Tue, 2008-01-29 at 07:57 +0800, Eduardo Tongson wrote:
> You make it sound so easy to gain root. I am aware that the Linux
> kernel is not 100% guaranteed free from privilege escalation bugs. But
> it is very important to know the escalation vector. Given that the
> kernel used is fully updated and root SSH login dismissed do you know
> a way of getting root without an unknown kernel bug?

Nope. However, having spent several years in high-volume relatively
cheap bulk hosting, I can say with experience that if you permit
unrestricted PHP or CGI execution on your system then it's only a matter
of time before some customer uploads something with a hole so big you
could drive a bus through it. At that point, the bus becomes the local
user - whether the webserver user (in the case of PHP as a module, or
CGI with no privilege separation like suEXEC) or the hosted user (CGI or
PHP with a wrapper to change user, often used for accounting purposes as
well as privilege separation).

Once an unknown remote user is on your system, the glib comment I made
was "all bets are off - they're not root yet". I don't know what setuid
root scripts exist on the system in question, nor what other mods may
have been made which expose privilege escalation issues. I'm pointing
out what I believe could be a (the) likely attack vector, from
experience.

It could equally well be something else, but before we all run around
shouting that "the sky is falling" we should probably examine what we
do, or can, know first.

Graeme