Re: Insecurities in Non-exclusive Scoket Binding

From: Oliver Friedrichs (oliver_friedrichs@symantec.com)
Date: 03/11/03

  • Next message: P. S.: "Dynamically Debugging for Security Bugs -- a useful tool ?" 
    To: ndaw@mozart.cs.berkeley.edu (David Wagner)
From: "Oliver Friedrichs" <oliver_friedrichs@symantec.com>
Date: Tue, 11 Mar 2003 08:38:44 -0800

    Firosh Ummer wrote:
    >>Socket hijacking itself is not new - it has been cited in several sources

    >>on the net. What I find disturbing is how easy it is for an attacker to
    >>hijack a privileged connection and then insert privileged commands,
    >>running with very low privileges.

    >This is an old, old story. I remember reading many years ago about this
    >kind of attack on NFS. (NFS runs on port 2049.) You're right that it's
    >an issue, and I don't know of any perfect defense. But then, most Unices
    >are frankly not very secure against local privilege elevation attacks,
    >so I wouldn't rely too heavily on standard Unix distributions to prevent
    >non-root users from getting root anyway. (Maybe I'm alone in that last
    >sentiment.)

    This is true. In fact, I wrote a proof-of-concept NFS server in 1996 for
    this. It simply took over port 2049 for a brief period, and sent a
    setuid-root copy of /bin/sh over to the client system. Of course it
    wouldn't work if it was mounted nosuid, but in other cases, anyone
    executing the shell on the client that had a mounted filesystem from the
    server running the fake NFS server would become root.

    Oliver Friedrichs
    Sr. Manager - DeepSight
    Symantec, Inc.

  • Next message: P. S.: "Dynamically Debugging for Security Bugs -- a useful tool ?"