[conspire] Bad Web apps considered harmful; escalation paths (was: GLUE)
rick at linuxmafia.com
Fri Oct 12 10:40:02 PDT 2007
I wrote, to Bruce:
> A typical system has much more glaring vulnerabilities in userspace,
> though a possible kernel-based privilege-escalation path, if present and
> credible, is certainly a concern.
Reasons why you should care about both kernel-based and all other local
privilege-escalation paths are exemplified by the quotation about
post-httpd-intrusion escalation paths near the end of this forward,
below. (Web-app-based intrusion _IS_ the current fad entry method, y'know.)
And this once again illustrates why you _really_ need a decent
file-based IDS as a "canary" against less-clumsy intrusions. (See
----- Forwarded message from Rick Moen <rick> -----
Date: Thu, 11 Oct 2007 21:44:52 -0700
From: Rick Moen <rick>
To: sf-lug at linuxmafia.com
Subject: Re: [sf-lug] ebay security analysis: phishers targeting linux
> Some of the same observations have now also been made by Chad Perrin in
> his article "Linux phishing botnet statistics can be deceptive"
> (http://blogs.techrepublic.com.com/security/?p=296). Worth reading, and
> please note his observations about non-root compromise of innumerable
> Linux/BSD/Solaris/etc. sites on account of badly written PHP apps.
Here's an excellent write-up of what an intruder did _after_ he/she
broke into a reasonably well maintained Ubuntu 6.06 LTS box, and then
somehow escalated to root authority:
Author could not determine the means of entry, as the article concludes:
The most important question is, how did he get access in the
first time? The server was running Ubuntu 6.06 LTS (i386) and was fairly
updated. The compromised could be caused by:
* An exploit unknown to the public.
* A user accessing this server from an already compromised
host. The attacker could then sniff the the password.
(Nor did the author determine how the intruder gained root. Of course,
this being an Ubuntu box and defaulting to a sudo setup, stealing the
regular password of the main user would be sufficient.)
However, the article is excellent in detailing what subsequent steps the
bad guy took -- made possible by that person's failure to take some
obvious steps to cover his/her tracks, and in general being extremely
clumsy and obvious.
One of the comments on the related discussion thread includes someone
speculating that the avenue of entry might have been unpatched PHP-Nuke
/ Post-Nuke, leading to ability to remotely fetch and run a script --
based on that happening to him/her, in a very similar attack.
(As I said.)
I also like this comment:
Nice report, this surely took you a couple hours.
You seem to be neglecting known vulnerable Web applications as a
possible entry point. This is one of the most common ways semi-automatic
(local root exploit is mostly run manually as it's not too easy to
handle the various different environments by a script) takeovers work
nowadays. As the security status of Web applications is often not
tracked (nor is it tracked which Web applications are installed at all,
and this is especially so but not limited to shared hosting
environments), it is very difficult for an admin to keep track of their
de facto vulnerabilities. Attackers, however, can (and do) easily scan
multiple Web servers for known security issues and, as the scan takes so
little time, do not need to know whether or not a system is vulnerable
before starting to run exploits against it.
Moritz Naumann, security[at]moritz-naumann.com
----- End forwarded message -----
More information about the conspire