Re: LOGWATCH EXPLOIT ROOT COMPROMISE
From: jon schatz (jon@divisionbyzero.com)Date: 03/29/02
- Previous message: Ken Burns: "Tiny Personal Firewall - speed"
- In reply to: Bailey Kong: "LOGWATCH EXPLOIT ROOT COMPROMISE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jon schatz <jon@divisionbyzero.com> To: Bailey Kong <bailey@tgpsolutions.com> Date: 29 Mar 2002 10:00:29 -0800
On Thu, 2002-03-28 at 22:14, Bailey Kong wrote:
> the current work around i got was to chattr +i /etc/passwd
>
> that makes it so /etc/passwd can't be modified, if and when you need to add
> a user you can simply do chattr -i /etc/passwd
that's absolutely pointless under linux. the exploit allows you to
execute arbitrary code as root. making the passwd file immutable only
adds one more step:
ln -s $SCRIPTDIR'`chattr =i /etc/passwd; cd etc;chmod 666 passwd #`'
/tmp/logwatch.$2/cron
etc.
in *BSD you have to drop the security level to 0 or below to change an
immutable flag, which (usually) drops you out of multiuser mode, so that
it's difficult (although not impossible) for a remote user make the
change. so a console user could use this exploit, although usually
having console access means you can get root anyway (boot in single user
mode, use a boot disk/cd and mount the drive from a different os, steal
the hd and mount it elsewhere, etc).
-jon
-- jon@divisionbyzero.com || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Ken Burns: "Tiny Personal Firewall - speed"
- In reply to: Bailey Kong: "LOGWATCH EXPLOIT ROOT COMPROMISE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
