| 1 |
Dan Margolis wrote: |
| 2 |
|
| 3 |
>Joshua Brindle wrote: |
| 4 |
> |
| 5 |
> |
| 6 |
> |
| 7 |
>>This isn't a weakness at all, presumably the attacker had root and could |
| 8 |
>>have put these files anywhere, he just chose /dev/shm. |
| 9 |
>> |
| 10 |
>> |
| 11 |
> |
| 12 |
>According to Eric, it was a valid user. |
| 13 |
> |
| 14 |
> |
| 15 |
> |
| 16 |
doesn't matter, for the rootkit to have done anything to the system it |
| 17 |
would have to be running the escalated privleges. If it was running with |
| 18 |
the users privs then who cares? |
| 19 |
|
| 20 |
> |
| 21 |
> |
| 22 |
>>trusted path is a broken concept. |
| 23 |
>> |
| 24 |
>> |
| 25 |
> |
| 26 |
>I didn't know this. Does GRSec's TPE not work? |
| 27 |
> |
| 28 |
> |
| 29 |
> |
| 30 |
This is not a comment about grsec. This is merely a comment about the |
| 31 |
security model behind trusted path. |
| 32 |
|
| 33 |
> |
| 34 |
> |
| 35 |
>>I'm not sure if it's been mentioned but adding noexec wouldn't prevent |
| 36 |
>>this since you can always run elf binaries through ld.so without |
| 37 |
>>directly executing them and noexec doesn't prevent this. Further, as I |
| 38 |
>>already said, if he already had root he could have put it anywhere he |
| 39 |
>>wanted, or even remounted /dev/shm without noexec. There are no security |
| 40 |
>>gains here. |
| 41 |
>> |
| 42 |
>> |
| 43 |
> |
| 44 |
>He couldn't have remounted it. He didn't have root. |
| 45 |
> |
| 46 |
>According to this |
| 47 |
>[http://www.blacksheepnetworks.com/security/security/vulndev/0235.html], |
| 48 |
>GRSec's TPE is perfectly effective against this attack, however. |
| 49 |
> |
| 50 |
> |
| 51 |
> |
| 52 |
wrong, anything you can read you can execute. trusted path is a broken |
| 53 |
model, ld.so is just one example of how to get around it. |
| 54 |
|
| 55 |
>And the reason I said it's a bug in our documentation is because we |
| 56 |
>encourage readers to modify fstab to include nosuid and noexec flags |
| 57 |
>where appropriate. Clearly, an incomplete recommendation since we left |
| 58 |
>out /dev/shm. |
| 59 |
> |
| 60 |
> |
| 61 |
> |
| 62 |
It isn't a bug in the documentation. |
| 63 |
|
| 64 |
Joshua |
| 65 |
|
| 66 |
|
| 67 |
-- |
| 68 |
gentoo-hardened@g.o mailing list |
Archives