Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 Jan 1998 15:43:46 -0500 (EST)
From:      mgraffam@mhv.net
To:        Steve Reid <sreid@sea-to-sky.net>
Cc:        Michael Graffam <mgraffam@mhv.net>, questions@FreeBSD.ORG
Subject:   Re: HACKED (again)
Message-ID:  <Pine.LNX.3.96.980101153230.28029C-100000@localhost>
In-Reply-To: <Pine.LNX.3.95.980101114507.28747C-100000@alpha.sea-to-sky.net>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 1 Jan 1998, Steve Reid wrote:

> On Thu, 1 Jan 1998 mgraffam@mhv.net wrote:
> > Upload an evil library, and set the environment that telnetd sets up
> > to call that lib rather than the ordinary stuffs, the evil lib gives 
> > a root shell. Hmm.. this implies ELF, so I dont think FreeBSD would
> > be vulnerable to this attack:
> 
> This did affect FreeBSD and most other Unixes. It was fixed a couple of
> years ago, I think sometime between the 2.0.5 and 2.1.0 releases. I
> wouldn't worry about it today. 

Ah, ok it did affect FreeBSD .. ok. I knew that it was patched everywhere
by now, but the original poster said that his system had been hacked 
a few OS revisions ago, so I thought that this might apply.

> BSD-derived Unixes have features to prevent such cloaking, by preventing
> everyone (even root) from changing important data. These features have
> to be specifically enabled. In short: set the "immutable" flag on all
> important binaries and scripts (see "man chflags") and run the system
> with securelevel set non-zero. The immutable files then can't be
> modified, and the immutable flag can't be removed except by taking the
> system down to single-user mode.

Yeah, this might be true (I havent looked into the mechanisms of this, 
are we sure that an attacker can't modify the files through an indirect
means?), but as you note these measures need to be specifically enabled
and I doubt many people enable such features.. so, on the average system
where root privledges can attained in the first place, these options
are probably not configured. 

However, I dont see how this will necessarily help you against files
that need to get changed, just as log files and utmp, unless the system
just makes an artificial distinction between legitimate changes to the
file and human-specified changes.. in which case I'm quite sure that
a clever attacker could trick the ever-stupid computer. However for
bins such as ps and netstat, you are absolutably correct.. I still
prefer tripwire or a similar set up, however because a determined attacker
could probably modifiy the disk itself, and while the odds on this 
being useful for implementing an evil ps or netcat are slim at best,
it still leaves me suspicious.

This is a good point though, it might be wise to start shipping FreeBSD
with important files locked up as the default.

Michael J. Graffam (mgraffam@mhv.net)
http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc
"Enlightenment is man's emergence from his self-incurred immaturity.
Immaturity is the inability to use one's own understanding without the
guidance of another. . .Sapere aude! Have the courage to use your own
understanding!" - Immanuel Kant "What is Enlightenment?"

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBNKwABwKEiLNUxnAfAQGoHAP/Qj3pP0hrYhQFJSf4q1tq1l/gK47e8Kk9
fwQPQmOVxZKMXY4srAEHykW+gULV1WwzxdbTh5afca4BIvz7I5CVeEavW1L20Gzc
11lO4a47S0XPH5ZT+X+BAyV+RHNVJxQ3C9QdBma8dVbXnmxVDIEG4bN22RjSgU5f
03YvQ8Hwi/g=
=ULg9
-----END PGP SIGNATURE-----




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.980101153230.28029C-100000>