Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Jul 1997 15:50:44 +0000 (GMT)
From:      "Jonathan A. Zdziarski" <jonz@netrail.net>
To:        Robert Watson <robert+freebsd@cyrus.watson.org>
Cc:        Vincent Poy <vince@mail.MCESTATE.COM>, Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net>
Subject:   Re: security hole in FreeBSD
Message-ID:  <Pine.BSF.3.95q.970728154922.12468A-100000@netrail.net>
In-Reply-To: <Pine.BSF.3.95q.970728142652.3342F-100000@cyrus.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
There IS one common hole I've seen apache and stronghold have, and that is
that some people like to leave their sessiond or httpd files owned by
'nobody'.  This allows somebody running CGI on that system to replace
those binaries with their own, hacked binaries (since the scripts are
usually owned as nobody), and the next time httpd starts, they can make it
write a root shell, or just about anything along those lines.


-------------------------------------------------------------------------
Jonathan A. Zdziarski                                NetRail Incorporated
Server Engineering Manager                    230 Peachtree St. Suite 500
jonz@netrail.net                                        Atlanta, GA 30303
http://www.netrail.net                                    (888) - NETRAIL
------------------------------------------------------------------------- 

On Mon, 28 Jul 1997, Robert Watson wrote:

:On Mon, 28 Jul 1997, Vincent Poy wrote:
:
:> On Mon, 28 Jul 1997, Robert Watson wrote:
:> 
:> =)> =)There was a security hole some time ago in perl that allowed local users
:> =)> =)to gain root access... That's probably the way he got root access...
:> =)> =)I would check my binaries, sup and recompile.
:> =)> 
:> =)> 	Hmmm, I supped the perl from the most recent ports tree and also
:> =)> all the binaries are about 2 months old from the -current tree.  I thought
:> =)> the security hole was way before that.  What I didn't get is how did he
:> =)> get access to the second system (earth) when he doesn't have a account
:> =)> there in the first place?
:> =)
:> =)I'd be tempted to look in all the normal places -- sendmail, etc.  What
:> =)daemons were running on the machine?  Any web server processes?  Also, I'd
:> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is
:> =)in use..  Any use of NIS going on?  Also, .rhosts arrangements can be
:> =)extremely unhappy if we already know (s)he is messing with DNS entries.
:> 
:> 	sendmail is running as well as apache httpd...  ftpd, telnetd, and
:> ircd.  No NIS.   ALl I know was he managed to changed everyone's .rhosts
:> file when it doesn't exist originally and the contents just had:
:> + +
:> in it.
:
:This guy sounds like either he has good tools, or good experience.  For
:safety's sake, I'd guess the latter.  All he needed was one sniffed
:password to get on the system, and then you may be stuck with known holes
:in application software.  Most of the security problems I've seen have
:started with a sniffed password, but this comes from dormitory experience
::).  
:
:Your best hope at this point is to shut down the system, boot on a floppy
:with a CDROM mounted, and then do a strategic MD5 checksum of all binaries
:and check for changes.  If you're running STABLE, your best bet may be to
:sup down differences, but to reinstall the binaries necessary to support
:the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc.
:If he's made enough changes to zap syslog, netstat, login-stuff, I
:wouldn't trust any other tools on the system currently.
:
:
:  Robert N Watson 
:
:Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
:Network Security Research, Trusted Information Systems http://www.tis.com/
:Network Administrator, SafePort Network Services  http://www.safeport.com/
:robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/
:




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970728154922.12468A-100000>