From owner-freebsd-security Mon Jul 28 12:52:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA27954 for security-outgoing; Mon, 28 Jul 1997 12:52:10 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA27938 for ; Mon, 28 Jul 1997 12:52:06 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id PAA12711; Mon, 28 Jul 1997 15:50:44 GMT Date: Mon, 28 Jul 1997 15:50:44 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Robert Watson cc: Vincent Poy , Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk There IS one common hole I've seen apache and stronghold have, and that is that some people like to leave their sessiond or httpd files owned by 'nobody'. This allows somebody running CGI on that system to replace those binaries with their own, hacked binaries (since the scripts are usually owned as nobody), and the next time httpd starts, they can make it write a root shell, or just about anything along those lines. ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Robert Watson wrote: :On Mon, 28 Jul 1997, Vincent Poy wrote: : :> On Mon, 28 Jul 1997, Robert Watson wrote: :> :> =)> =)There was a security hole some time ago in perl that allowed local users :> =)> =)to gain root access... That's probably the way he got root access... :> =)> =)I would check my binaries, sup and recompile. :> =)> :> =)> Hmmm, I supped the perl from the most recent ports tree and also :> =)> all the binaries are about 2 months old from the -current tree. I thought :> =)> the security hole was way before that. What I didn't get is how did he :> =)> get access to the second system (earth) when he doesn't have a account :> =)> there in the first place? :> =) :> =)I'd be tempted to look in all the normal places -- sendmail, etc. What :> =)daemons were running on the machine? Any web server processes? Also, I'd :> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is :> =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be :> =)extremely unhappy if we already know (s)he is messing with DNS entries. :> :> sendmail is running as well as apache httpd... ftpd, telnetd, and :> ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts :> file when it doesn't exist originally and the contents just had: :> + + :> in it. : :This guy sounds like either he has good tools, or good experience. For :safety's sake, I'd guess the latter. All he needed was one sniffed :password to get on the system, and then you may be stuck with known holes :in application software. Most of the security problems I've seen have :started with a sniffed password, but this comes from dormitory experience ::). : :Your best hope at this point is to shut down the system, boot on a floppy :with a CDROM mounted, and then do a strategic MD5 checksum of all binaries :and check for changes. If you're running STABLE, your best bet may be to :sup down differences, but to reinstall the binaries necessary to support :the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. :If he's made enough changes to zap syslog, netstat, login-stuff, I :wouldn't trust any other tools on the system currently. : : : Robert N Watson : :Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ :Network Security Research, Trusted Information Systems http://www.tis.com/ :Network Administrator, SafePort Network Services http://www.safeport.com/ :robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ :