Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition

From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 29 Jan 2008 10:25:27 -0600
--On Tuesday, January 29, 2008 08:39:04 +0000 Graeme Fowler <G.E.Fowler () lboro ac uk> wrote: 

Once an unknown remote user is on your system, the glib comment I made
was "all bets are off - they're not root yet". I don't know what setuid
root scripts exist on the system in question, nor what other mods may
have been made which expose privilege escalation issues. I'm pointing
out what I believe could be a (the) likely attack vector, from
experience.

It could equally well be something else, but before we all run around
shouting that "the sky is falling" we should probably examine what we
do, or can, know first.
Just to buttress what Graeme is saying, the problem is two-fold. You not only have an unwanted visitor in your system, but you also have an unwanted visitor on your *network*. So you have two risks - the visitor can find a local privilege escalation that works and the visitor can discover all your assets and find weaknesses in any of them to exploit.
It's been my experience that local privilege escalation is often thought of as less dangerous than remote privilege escalation. The only difference between the two is from where the attacker has to start. Once he's in, as Graeme says, all bets are off. It's purely a matter of time before something gets exploited, even if it's only password sniffing that leads to root. All it takes is for one person to type their password on the cli (e.g. mysql -u root -p foo), and the password is sitting in plain text in the logfiles. 

--
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
Previous By Date Next
Previous By Thread Next

Current thread: