Re: what a malicious local user can do using "nobody"'s privilege?

• Previous message: rogue: "RE: PIX firewall and ICMP"
• In reply to: Rick Zhong: "what a malicious local user can do using "nobody"'s privilege?"
• Next in thread: Frans Meijer: "Re: Looking for some ideas on VPN and Dial Up Users and Virus protect ion."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 29 Sep 2003 12:30:24 -0400
To: Rick Zhong <isc00801@nus.edu.sg>

On Sun, Sep 28, 2003 at 02:46:07AM +0800, Rick Zhong wrote:
> Hello all,
>
> i am reading something about this vulnerablity (bugtraqid 8561) which lift
> normal local user to have the nobody user privilege. Just wondering what
> exactly can this nobody do? (to hurt the system)
>
> Looks like nobody does not have much privilege and i can only find the
> "locate" db is owned by "nobody" on my freebsd box. Besides this what other
> things which a malicious local user can do only when he got the nobody
> privilege? thanks.

A couple things come to mind, most of which apply to all UNIX variants:

* Use a local exploit to elevate my privileges further. Many
  administrators take great care to stay up-to-date on outward-facing
  services, but oftentimes fail to patch local issues, and attackers
  count on this. For example, at least some of the exploit code being
  used in the wild to exploit old Apache + OpenSSL servers did exactly
  this. Once uid={nobody,apache,www} was achieved, the code sucked down
  a local root ptrace exploit. Game over.

* Attack other systems. This machine will likely have a world writable
  /tmp, so an attacker with uid=nobody can squirrel all his tools away
  there and attack as needed.

* Abuse incorrect file permissions for possible further privilege
  escalation or destruction. I can't count the number of machines I've
  encountered where all of the webroot is owned by uid=nobody. If that
  is the case, an attacker could easily deface the site, or worse. A
  simple `find / -user nobody -o -group nogroup` (or whatever it is on
  your system) will tell you what resources to attack.

* Kill processes owned by uid=nobody. For apache, this really isn't a
  huge issue because you won't be able to (easily) kill the process that
  is bound to port 80, so new children will always be spawned and
  requests will be served eventually. However, a `while (true); do
  killall httpd; done` could get pretty annoying to an adminstrator
  after a while. Plus, on larger systems which might have multiple
  daemons run by nobody, this could get ugly.

There are probably may other variants that I may have missed, but these
are a pretty good start.

Good luck,

-jon

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: rogue: "RE: PIX firewall and ICMP"
• In reply to: Rick Zhong: "what a malicious local user can do using "nobody"'s privilege?"
• Next in thread: Frans Meijer: "Re: Looking for some ideas on VPN and Dial Up Users and Virus protect ion."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]