--On Tuesday, January 29, 2008 08:39:04 +0000 Graeme Fowler
<G.E.Fowler@lboro.ac.uk> wrote:
Once an unknown remote user is on your system, the glib comment I made
was "all bets are off - they're not root yet". I don't know what setuid
root scripts exist on the system in question, nor what other mods may
have been made which expose privilege escalation issues. I'm pointing
out what I believe could be a (the) likely attack vector, from
experience.
It could equally well be something else, but before we all run around
shouting that "the sky is falling" we should probably examine what we
do, or can, know first.
Just to buttress what Graeme is saying, the problem is two-fold. You not only
have an unwanted visitor in your system, but you also have an unwanted visitor
on your *network*. So you have two risks - the visitor can find a local
privilege escalation that works and the visitor can discover all your assets
and find weaknesses in any of them to exploit.
It's been my experience that local privilege escalation is often thought of as
less dangerous than remote privilege escalation. The only difference between
the two is from where the attacker has to start. Once he's in, as Graeme says,
all bets are off. It's purely a matter of time before something gets
exploited, even if it's only password sniffing that leads to root. All it
takes is for one person to type their password on the cli (e.g. mysql -u root
-p foo), and the password is sitting in plain text in the logfiles.
--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
