Vulnerability Development mailing list archives
Re: Ports 0-1023?
From: gminick <gminick () hacker pl>
Date: Thu, 4 Jul 2002 22:31:13 +0200
On Thu, Jul 04, 2002 at 06:54:05PM +0100, Bruno Morisson wrote:
Example, uid 80 can bind to tcp port 80.
It leads us to build more static and more complicated systems. We're just trying to provide new situations where bugs can exist and what we're trying to achieve isn't worthy...
You start the httpd as that user, and drop privileges by setting your uid to nobody (or apache, or whatever). If the user exploits the daemon, it will be uid nobody (or whatever), and in the worst case scenario, he will have uid 80, and never uid 0.
Are you sure? I think that our new user changes nothing and there's still a possibility of priviledges expansion from user nobody to a root (if you've exploited apache with a remote exploit, and you have a shell as user nobody you're able to try to exploit something locally and get UID==0). Am I right ? -- [ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ] [ gminick (at) hacker.pl ][ gminick (at) klub.chip.pl ]
Current thread:
- Re: Ports 0-1023?, (continued)
- Re: Ports 0-1023? Dan Kaminsky (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Sebastian Krahmer (Jul 05)
- Re: Ports 0-1023? robbe (Jul 04)
- Re: Ports 0-1023? Dave Aitel (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? hicks (Jul 04)
- Re: Ports 0-1023? Juan M. Courcoul (Jul 04)
- Re: Ports 0-1023? Mark Ruth (Jul 04)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? gminick (Jul 04)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? gminick (Jul 05)
- Re: Ports 0-1023? George W. Capehart (Jul 05)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Brian Hatch (Jul 04)
- Re: Ports 0-1023? Blue Boar (Jul 04)
- Re: Ports 0-1023? Brian Hatch (Jul 05)
- Re: Ports 0-1023? Clint Byrum (Jul 05)