1 |
Dan Margolis wrote: |
2 |
|
3 |
>Joshua Brindle wrote: |
4 |
> |
5 |
> |
6 |
> |
7 |
>>This isn't a weakness at all, presumably the attacker had root and could |
8 |
>>have put these files anywhere, he just chose /dev/shm. |
9 |
>> |
10 |
>> |
11 |
> |
12 |
>According to Eric, it was a valid user. |
13 |
> |
14 |
> |
15 |
> |
16 |
doesn't matter, for the rootkit to have done anything to the system it |
17 |
would have to be running the escalated privleges. If it was running with |
18 |
the users privs then who cares? |
19 |
|
20 |
> |
21 |
> |
22 |
>>trusted path is a broken concept. |
23 |
>> |
24 |
>> |
25 |
> |
26 |
>I didn't know this. Does GRSec's TPE not work? |
27 |
> |
28 |
> |
29 |
> |
30 |
This is not a comment about grsec. This is merely a comment about the |
31 |
security model behind trusted path. |
32 |
|
33 |
> |
34 |
> |
35 |
>>I'm not sure if it's been mentioned but adding noexec wouldn't prevent |
36 |
>>this since you can always run elf binaries through ld.so without |
37 |
>>directly executing them and noexec doesn't prevent this. Further, as I |
38 |
>>already said, if he already had root he could have put it anywhere he |
39 |
>>wanted, or even remounted /dev/shm without noexec. There are no security |
40 |
>>gains here. |
41 |
>> |
42 |
>> |
43 |
> |
44 |
>He couldn't have remounted it. He didn't have root. |
45 |
> |
46 |
>According to this |
47 |
>[http://www.blacksheepnetworks.com/security/security/vulndev/0235.html], |
48 |
>GRSec's TPE is perfectly effective against this attack, however. |
49 |
> |
50 |
> |
51 |
> |
52 |
wrong, anything you can read you can execute. trusted path is a broken |
53 |
model, ld.so is just one example of how to get around it. |
54 |
|
55 |
>And the reason I said it's a bug in our documentation is because we |
56 |
>encourage readers to modify fstab to include nosuid and noexec flags |
57 |
>where appropriate. Clearly, an incomplete recommendation since we left |
58 |
>out /dev/shm. |
59 |
> |
60 |
> |
61 |
> |
62 |
It isn't a bug in the documentation. |
63 |
|
64 |
Joshua |
65 |
|
66 |
|
67 |
-- |
68 |
gentoo-hardened@g.o mailing list |