Security Incidents mailing list archives
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition
From: Graeme Fowler <G.E.Fowler () lboro ac uk>
Date: Tue, 29 Jan 2008 08:39:04 +0000
On Tue, 2008-01-29 at 07:57 +0800, Eduardo Tongson wrote:
You make it sound so easy to gain root. I am aware that the Linux kernel is not 100% guaranteed free from privilege escalation bugs. But it is very important to know the escalation vector. Given that the kernel used is fully updated and root SSH login dismissed do you know a way of getting root without an unknown kernel bug?
Nope. However, having spent several years in high-volume relatively cheap bulk hosting, I can say with experience that if you permit unrestricted PHP or CGI execution on your system then it's only a matter of time before some customer uploads something with a hole so big you could drive a bus through it. At that point, the bus becomes the local user - whether the webserver user (in the case of PHP as a module, or CGI with no privilege separation like suEXEC) or the hosted user (CGI or PHP with a wrapper to change user, often used for accounting purposes as well as privilege separation). Once an unknown remote user is on your system, the glib comment I made was "all bets are off - they're not root yet". I don't know what setuid root scripts exist on the system in question, nor what other mods may have been made which expose privilege escalation issues. I'm pointing out what I believe could be a (the) likely attack vector, from experience. It could equally well be something else, but before we all run around shouting that "the sky is falling" we should probably examine what we do, or can, know first. Graeme
Current thread:
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition, (continued)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition dxp (Jan 24)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Ronald van der Westen (Jan 25)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition dxp2532 (Jan 25)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Cedric Blancher (Jan 25)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jeff Plewes (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Paul Schmehl (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jeff Plewes (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Gary Baribault (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Graeme Fowler (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Graeme Fowler (Jan 29)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Paul Schmehl (Jan 29)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Ronald van der Westen (Jan 25)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Valdis . Kletnieks (Jan 29)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 30)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Graeme Fowler (Jan 30)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jason Stelzer (Jan 30)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 31)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jamie Riden (Jan 31)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 31)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition dxp (Jan 24)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 28)