[sf-lug] Hacked RHEL4/PHP4 server

Thu May 22 13:14:44 PDT 2008

Quoting Kristian Erik Hermansen (kristian.hermansen at gmail.com):

> But now I probe you further :-)  What happens if I corrupt the file
> system intentionally, and I hold an 0day for fsck?

If you are holding in your hands a day-zero exploit for e2fsck, you have
_much_ better things to do with your new-found, magically (if
hypothetically) available underworld wealth than attempt to taunt some
sysadmin in Menlo Park.

> This scenario is not unreasonable....

{choke, sputter, spit-take, sudden wiping off of keyboard}

Pull the other one, Mr. Hermansen.  Feel free to presuppose that you
have a pony, while you're at it.  ("And a shrubbery.  A nice one, with a
path down the middle....")

If you think it's possible to induce the canonical e2fsck to perform
unnatural and threatening acts through a cannily malformed filesystem
that it merely parses but does not execute, feel free to show a
demonstration.  I'll not be holding my breath.

But why bother?  Why not, if you're attempting to play stupid mind games
with the sysadmin of a system where you've hypothetically stolen root,
encrypt a bunch of its files and then send the admin a telephone call or
e-mail advising him/her of where to wire money to get the files back?
You've now recreated one of the standard 1980s virus scenarios (that
were actually attempted on victims of that era by Central American
wannabe extortionists).

Or just replace the partition table with one that's readable only by
special bootloader code and checks for an authorisation file that the
bad guys have to refresh from time to time, remotely.  If the sysadmin
attempts to kick the bad guys out, he/she finds that the system has
become unbootable and lacks a valid partition table.  (Lost partition
tables can be recreated by a sufficiently determined sysadmin, but I'm
sure a worse threat model can be 

> Now I ask you, are you feeling any more safer today?  ;-P

What the hell made you think I would ever regard a root-compromised
computer system as "safe"?  I merely said that one's first step is to 
boot the compromised system from trusted separate media, in order to
make a snapshot of the contents and study it.  Sufficiently determined 
intruders can certainly make that process difficult or in-practice
impossible (which is one reason why we have backups).  I greatly doubt
that the intruder can create a malformed filesystem able to induce
e2fsck to open a subspace channel to V'ger on his/her behalf -- but, if
so, I guess he/she would _then_ be able to also compromise my Sidux 
RAMdisk (oooh!), and so I should PH33R H1Z M4D SK1LLZ.

Anyway, you'll want to pull the standard "I'm a security guy, and so you
should be more scared" shuck-and-jive on someone who's more easily
impressed.