LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Too weak

Too weak

Posted Dec 11, 2003 16:36 UTC (Thu) by RobSeace (subscriber, #4435)
In reply to: Too weak by walles
Parent article: Lessons from the Debian compromise

> "Imagine there is an unknown, exploitable bug in the kernel's brk()
> implementation. What *technical measures* (other than discovering + fixing
> the bug) could prevent that problem from being exploited?"
>
> Answer that, and this won't happen again.

Forbiding all remote user access would do it... But, may be too extreme
for many... ;-) People seem to forget, it's NOT the kernel brk() bug that's
ultimately to blame here, as I see it: that was just a local exploit, which
allowed the attacker to escalate their privs once they'd already broken into
a normal user account... The REAL problem is that they broke into a normal
user account, in the first place! Do you imagine the impact of that, even
without root access, to be a minor issue?? (I mean "you" in the generic
sense here, not attacking you personally...) If this person whose account
was compromised was a developer (and, if not, why do they have an account
on those machines??), then all an attacker would NEED is their normal user
access in order to plant trojan horses in any software the developer had
access to... Plus, by pretending to be that user, they could perhaps
social-engineer others into giving them enough info to do further damage,
elsewhere...

So, all this continued focus on the kernel brk() bug really bugs me... (No
pun intended... ;-)) It's completely missing the point to lay the blame
there, and give THAT all of the focus and attention... It would be much
more important to focus on how the person got access to that user's account
in the first place... THAT is what needs to be prevented in the future;
and, that's FAR more important, IMHO, than any local-only root exploit...
If no one untrusted has remote access, then all local exploits become
totally irrelevent... And, even in the case where there were no local
exploits at all, letting anyone untrusted have remote access to a legit
user's account is STILL a very, very BAD thing... So, as I say, I think
everyone is focusing on the wrong problem in this whole mess... ;-/

(Log in to post comments)

brk() bug was the real problem

Posted Dec 13, 2003 19:05 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

I take the opposite view. An unauthorized user being able to log into a system as a nonprivileged user is a small deal. Being able to escalate to a privileged user is a big deal.

That's because there are all kinds of legitimate reasons for having a system that untrusted people can log into as an unprivileged user. We should not therefore squander our attention on stopping people from logging in, but rather allocate it to stopping privilege escalations.

How do you figure??

Posted Dec 13, 2003 19:49 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

How on Earth can you say that someone gaining access to a legit developer's
user account is "a small deal"???? And, at the same time, that going from
there to root is a "a big deal"???? I can't comprehend your perspective...

By having access to the developer's user account, the attacker can pretend
to be the developer, including doing such things as checking in code under
his/her name, communicating with others to obtain info intented only for the
developer, and basically anything and everything that legit developer could
do... Is this really "a small deal" to you???? Do you realize the damage
that could be done this way?? Think about it... Chances are, no one would
ever have found out about such a user-only attack: no system files would
have changed, no kernel oopses as warnings, nothing to tip anyone off that
anything was up... So, this person could have undected access for as long
as they wanted, and do anything they wanted in the real developer's name,
without arousing anyone's suspicions... They could get a hidden backdoor of
some sort worked into some major bit of software which they know will be
run by everyone that uses the distro, and as soon as it gets distributed
widely, they'd have access to thousands of machines around the world, with
no one being the wiser (until they eventually slip up and get caught)...
You don't think this represents a scary scenario?? Yet, you find the mere
escalation from an authorized remote user account to root the end of the
world???? I'm totally baffled by that...

Gaining root, when you already have the above power, is just unecessary
overkill, really... If the person who pulled this off were smart, they
would've done as I describe above, and stayed hidden, and been able to do
lots of nasty things for a LONG time, before anyone ever caught them...
By being greedy and going after root, they got caught quickly... And, what
did it gain them?? Not much... Seriously, tell me: what are you so afraid
they could've done as root, that they couldn't have accomplished far more
stealthfully as the developer?? It seems to me the big danger is planting
some kind of back-door/trojan into the source, right? Why do that with
noisy root access, when you can do it with stealthy developer access, and
arouse no one's suspicions?? Sure, as root they can sniff everyone's
passwords and monitor everyone's communications, etc... But, so what?
What is the ultimate danger from doing that: that they'll be able to find a
way to poison the source code, right? Or, are you worried about some OTHER
danger that I'm not seeing??

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds