Vulnerability Development mailing list archives
Re: Kill the DOG and win 100 000 DM
From: "Jeffrey W. Thompson" <thompson () ARGUS-SYSTEMS COM>
Date: Fri, 10 Nov 2000 16:51:31 -0600
Jay, Given your example the application would be exec'd at the level of the application. However, all privileges are lost across the exec. Also, you would need to be able to talk with the process according to MAC rules in order to attack this. The likely case is that you will be able to attack services that are available to the public (not backend databases and other more heavily protected things). Also, the vast majority of these services should be protected at a MAC label that does not give them system access. This will typically leave a very few services on the system that will yield good access to the system where you could get a breach. Of course, this presumes that the system was set up in a proper fashion. With that said, looking for network services that you can remotely attack that are at different SL's then you are is an excellent way to get different types of access to the system. The key is that the access will be different, not necessarily better! :) In regards to network protection, this is enforced by the kernel so it does not matter whether a program is label aware or not. It's totally automatic. Cheers, Jeff Jay Tribick wrote:
Hi,To break it down: 1) When you connected from the internet you logged in as beaner. You network connection from the internet was automatically marked at a different level than TS ALL. This was probably Confidential User or something like that. 2) Your MAC level (Con User) will stay with your process and all its children no matter if you become another user or break a setuid program.Lets say, for example, that there was an application running with an SL that dominated the attacking users SL. This application has a remote-exec hole (i.e by passing certain commands over the socket, one could cause the application to system(3) or exec(3) another program) would the SL of the program that was spawned be the SL of the attacking user, or the SL of the application from which it was invoked? (..assuming that the attack was performed by someone locally on the machine telnetting to a port on the same box)4) If your process tries to telnet to the local machine its label will be on the stream and will be used in setting up that network connection. This will cause your connection to be at exactly the same level you are at.Does this assume that the application you're connecting too is label-aware, or is it enforced regardless of the application? -- Regards, Jay Tribick Senior Systems Engineer Carrier1 Voice: +44 207 531 3874
Current thread:
- Re: Kill the DOG and win 100 000 DM, (continued)
- Re: Kill the DOG and win 100 000 DM Scott Fagg (Nov 08)
- Re: Kill the DOG and win 100 000 DM Jon Larimer (Nov 09)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 09)
- Re: Kill the DOG and win 100 000 DM Michael Wojcik (Nov 09)
- Re: Kill the DOG and win 100 000 DM Sherrod, Andrew (Nov 09)
- Re: Kill the DOG and win 100 000 DM Ghory, Zeshan A (Nov 09)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 10)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 11)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
- Re: Kill the DOG and win 100 000 DM Mark (Nov 12)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 15)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 15)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
- Re: Kill the DOG and win 100 000 DM Scott Fagg (Nov 08)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 11)