The brk() vulnerability [LWN.net]

The brk() vulnerability

Posted Dec 3, 2003 5:45 UTC (Wed) by stuart2048 (subscriber, #6241)
Parent article: The brk() vulnerability

I too would like to offer a big thumbs up on LWN's coverage of this event. Thanks guys!

One thing puzzles me though. How did the attacker gain unpriviledged shell access to the systems in the first place? Apparently this was done via a sniffed password. But how did this password get sniffed? Was it cleartext on the wire? If so, what was it -- telnet, rlogin, X11 keystrokes?

If this was a network sniff, what was the topology? Where did the sniff happen?

--Stuart

(Log in to post comments)

The brk() vulnerability

Posted Dec 3, 2003 8:12 UTC (Wed) by dlang (subscriber, #313) [Link]

remember that the Debian project boasts 1000 developers. I don't know how many had access to the initial machine, but it's not unreasonable to consider that at least half of them did.

if these people each accessed this machine from 2 different machines (home and work for example) that means that there are 1000 different places that the inirial login password could have been aquired from.

remember that if you use ssh to connect to a machine that machine is only as secure as the least secure of the machines that are allowed to connect to it. chain this a few times, multiplied by a lot of people and you should figure that a determined enough person _will_ be able to get user access to it.

The brk() vulnerability

Posted Dec 3, 2003 8:21 UTC (Wed) by pwaechtler (subscriber, #5075) [Link]

I guess POP3 or HTTP (cvs repository?) with password

The brk() vulnerability

Posted Dec 3, 2003 8:33 UTC (Wed) by ridrid (guest, #10092) [Link]

Heres a hypthosesis from the debian-devel mailing list:

http://lists.debian.org/debian-devel/2003/debian-devel-200311/msg02170.html

Rich Dougherty

The brk() vulnerability

Posted Dec 4, 2003 12:13 UTC (Thu) by IkeTo (subscriber, #2122) [Link]

In other words, if you don't want it to happen to you, don't ssh from ssh'ed accounts.