Vulnerability Development mailing list archives

RE: OpenSSH Vulns (new?) Priv seperation


From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 27 Jun 2002 00:11:03 -0400 (EDT)

On Wed, 26 Jun 2002, Peter Mueller wrote:

reducing root-run code from 27000 to 2500 lines is the important part.
who cares how many holes there are when it is in /var/empty/sshd chroot
with no possibility of root :)

Interesting approach.

This gives the attacker an opportunity to access your system. Exploiting
local bugs in the kernel aside... using your system for further
compromises or other behavior of this nature aside... chroot is still not
a silver bullet. It essentially provides a filesystem level separation -
but not on every system this means any particular IPC restrictions, for
example. Having an attacker in the system, no matter what his uid is, is a
serious problem. The attacker with no direct ability to do rm -rf / or to
change your webpage would be perhaps considered less serious, but I do not
buy this argument. If you maintain your system properly and patch it on a
regular basis, script kiddies are really not that difficult to get rid of.
Even if you actually get compromised, it is probably better for the kiddie
to be able to do something terribly evident, so you can know about the
compromise, restore the data and continue.

Script kiddies rarely have access to exploits for not yet published
vulnerabilities and so on. It is people with some serious intent and
skills you should fear, and having one with uid != 0 does not make me feel
any safer. Sure, privilege separation is an added value - will protect
clueless people who do not keep up with patches from mass defacements -
but that's it.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/


Current thread: