Full Disclosure mailing list archives
Re: one of my servers has been compromized
From: Gage Bystrom <themadichib0d () gmail com>
Date: Tue, 6 Dec 2011 19:18:07 -0800
Well in that case it becomes fairly sane, assuming you've safeguarded against the one of the worst case scenario like Valdis previously mentioned. There are a handful of things I can think of however that could still work, at which point depends on the attackers goals. But at that point it'd be a complete loss for the defender, and only a half victory for the attacker. After all the defender only wins if the attacker fails to accomplish his goals. The minute he changes his goals into something you've already been forced to concede to him the minute he concedes the following: "I'm not getting the kernel" and one of the following: "I'm not modifying critical files" or "The intrusion has a high chance of being detected". But meh, at the point it is an unrealistic scenario anyways. An attacker who can recognize that, while going through with the decision, while being able to plan ahead, while being skilled enough to actually prepare for the plan, while actually encountering the scenario needed for the per-requisites for this to occur is perhaps the very scenario behind the "everything can be hacked" possibility we all inherently recognize. Oh well, anyways this thread has been very interesting to me, and I'm glad that I'm not the only one who could see how over-responding would have been completely useless to the OP. That and he likely has more than he needs to put an end to his current circumstance. On Tue, Dec 6, 2011 at 5:33 PM, John Jacobs <flamdugen () hotmail com> wrote:
Sounds pretty neat to be honest. But one thing I'm wondering is that if they have root, what's stopping them from turning that off? After all they need root to load the modules in the first place, so if they are in a position to want to do that, then they are in a position to turn that off. Granted they probably wouldn't be able to load modules till next boot(at least Id probably cry if that wasn't the case) but even that can be a win scenario depending on how they want to execute theHi Gage, thank you for your reply. What you are missing is that by disabling kernel module loading you are applying a defense-in-depth strategy to prevent a *vulnerable* module from automatically loading in the first place resulting in root compromise. I believe you may not be aware that some modules are loaded automatically if a corresponding special device is accessed. Usually the userspace modprobe utility is executed though this can be controlled by the value of /proc/sys/kernel/modprobe Preventing module loading has historically be a valuable way to prevent privilege escalation or further root compromise. Such an example would be the 'ptrace' exploit, see http://www.sans.org/security-resources/malwarefaq/Ptrace.php Historically there have been various kernel modules that are vulnerable that could be loaded by userland non-root programs or access. Ubuntu likes to automatically load modules. Removing CAP_SYS_MODULE or kernel.modules_disabled=1 make good security sense. See http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3d43321b7015387cfebbe26436d0e9d299162ea1 and http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=25354c4fee169710fd9da15f3bb2abaa24dcf933 and https://wiki.ubuntu.com/Security/Features#block-modules The goal here is defense in depth. Revocation of loading the kernel modules cannot be undone unless a system reboot is effected which should be highly suspicious. The goal isn't about protecting ones boxens from a theoretical boogie-man it is to leverage all available and sane methods for properly securing ones box. I see no point to to use these options. Thanks, John
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: one of my servers has been compromized, (continued)
- Re: one of my servers has been compromized Michael Wood (Dec 05)
- Re: one of my servers has been compromized Josh Yavor (Dec 05)
- Re: one of my servers has been compromized sam (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 06)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Valdis . Kletnieks (Dec 06)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Valdis . Kletnieks (Dec 06)
- Re: one of my servers has been compromized John Jacobs (Dec 06)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Dan Ballance (Dec 05)
- Re: one of my servers has been compromized Gage Bystrom (Dec 05)
- Re: one of my servers has been compromized Javier Bassi (Dec 05)
- Re: one of my servers has been compromized Dan Ballance (Dec 05)
- Re: one of my servers has been compromized Lucio Crusca (Dec 06)
- Re: one of my servers has been compromized BH (Dec 06)
- Re: one of my servers has been compromized Lucio Crusca (Dec 06)
- Re: one of my servers has been compromized Kerem Erciyes (Dec 06)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Valdis . Kletnieks (Dec 06)