Re: aide or tripwire

From: Kurt Seifried (bugtraq@seifried.org)
Date: 12/21/01 

From: "Kurt Seifried" <bugtraq@seifried.org>
To: <focus-linux@securityfocus.com>
Date: Fri, 21 Dec 2001 14:26:15 -0700

Warning: long but informative.

Trusting your mounted CDROM for critical data may not be such a good idea.
If an attacker gets root they can do funky things to subvert it to varying
degrees (depends on how careful you are).

> Rob 'Feztaa' Park wrote:
>
> > Or you could just set the file(s) immuteable flag with 'chattr -i', and
> > the file cannot be changed or deleted.
>
> If it can be set, it can be unset. On a CDROM its on a read only
> filesystem.

Actually, I can mount a writeable filesystem overtop an arbitrary directory
(especially if you have loopback filesystem enabled in the kernel or a
loadable module =).

[root@bigstick root]# mount -t iso9660 /dev/cdrom /mnt/cdrom/

[root@bigstick root]# cd /mnt/cdrom/RedHat/RPMS/

[root@bigstick RPMS]# ls
4Suite-0.10.1-1.i386.rpm
a2ps-4.13b-13.i386.rpm
alchemist-0.16-3.i386.rpm
anacron-2.3-16.i386.rpm
anonftp-4.0-4.i386.rpm
apache-1.3.19-5.i386.rpm

[root@bigstick root]# cd ~

[root@bigstick root]# insmod loop
Using /lib/modules/2.4.9-13/kernel/drivers/block/loop.o

[root@bigstick root]# dd if=/dev/zero of=loopback-filesystem bs=1024
count=1024
1024+0 records in
1024+0 records out

[root@bigstick root]# losetup /dev/loop0 /root/loopback-filesystem

[root@bigstick root]# mkfs -t ext2 /dev/loop0
mke2fs 1.23, 15-Aug-2001 for EXT2 FS 0.5b, 95/08/09
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
128 inodes, 1024 blocks
51 blocks (4.98%) reserved for the super user
First data block=1
1 block group
8192 blocks per group, 8192 fragments per group
128 inodes per group

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

[root@bigstick root]# mount -t ext2 /dev/loop0 /mnt/cdrom/RedHat/RPMS/

[root@bigstick root]# cd /mnt/cdrom/RedHat/RPMS/

[root@bigstick RPMS]# ls -la
total 15
drwxr-xr-x 3 root root 1024 Dec 19 21:35 .
drwxr-xr-x 4 root root 2048 Apr 8 2001 ..
drwxr-xr-x 2 root root 12288 Dec 19 21:35 lost+found
[root@bigstick RPMS]#

I would now rmdir lost+found and copy in all my "special" rpm files at this
point =). Same goes for a cdrom with protected database on it (hint: use the
tripwire features to encrypt your database and keep the passphrase secret!
Also consider using a multiple part passphrase shared among people so no
single person can subvert it).

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/

Relevant Pages

  • Re: Cannot continue, aborting.
    ... > VFS: Mounted root (ext2 filesystem) ... Put the first CD of the Fedora distribution into the CDROM drive. ...
    (linux.redhat)
  • Re: Read-only root (/) except /et
    ... in other words, again root is compromised. ... That means that in a standard config the root filesystem cannot be made ... backup, and fewer writes means less likelihood of corruption eg if power ... Note that all my live partitions are rsync'd with identical ...
    (Debian-User)
  • Re: Read-only root (/) except /et
    ... in other words, again root is compromised. ... That means that in a standard config the root filesystem cannot be made ... backup, and fewer writes means less likelihood of corruption eg if power ... Note that all my live partitions are rsync'd with identical ...
    (Debian-User)
  • Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03
    ... They can simply mount a filesystem with any number of SUID ... root binaries on it and have their way with the box. ... I don't think anyone is arguing whether or not this is a bug. ...
    (FreeBSD-Security)
  • Re: Disk Druid - Fedora flame #1
    ... >Gene Heskett wrote: ... > be part of a minimal boot environment. ... >And the root filesystem should be as small as reasonably possible, ... as long as root is trusted. ...
    (Fedora)