From owner-freebsd-questions Thu Jan 1 12:49:33 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA06992 for questions-outgoing; Thu, 1 Jan 1998 12:49:33 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from mhv.net (root@spice.mhv.net [199.0.0.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA06986 for ; Thu, 1 Jan 1998 12:49:29 -0800 (PST) (envelope-from mgraffam@mhv.net) From: mgraffam@mhv.net Received: from localhost (qripto@port108.mhv.net [206.229.41.36]) by mhv.net (8.8.5/8.7.3) with SMTP id PAA08781; Thu, 1 Jan 1998 15:49:21 -0500 Date: Thu, 1 Jan 1998 15:43:46 -0500 (EST) X-Sender: qripto@localhost To: Steve Reid cc: Michael Graffam , questions@FreeBSD.ORG Subject: Re: HACKED (again) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Thu, 1 Jan 1998, Steve Reid wrote: > On Thu, 1 Jan 1998 mgraffam@mhv.net wrote: > > Upload an evil library, and set the environment that telnetd sets up > > to call that lib rather than the ordinary stuffs, the evil lib gives > > a root shell. Hmm.. this implies ELF, so I dont think FreeBSD would > > be vulnerable to this attack: > > This did affect FreeBSD and most other Unixes. It was fixed a couple of > years ago, I think sometime between the 2.0.5 and 2.1.0 releases. I > wouldn't worry about it today. Ah, ok it did affect FreeBSD .. ok. I knew that it was patched everywhere by now, but the original poster said that his system had been hacked a few OS revisions ago, so I thought that this might apply. > BSD-derived Unixes have features to prevent such cloaking, by preventing > everyone (even root) from changing important data. These features have > to be specifically enabled. In short: set the "immutable" flag on all > important binaries and scripts (see "man chflags") and run the system > with securelevel set non-zero. The immutable files then can't be > modified, and the immutable flag can't be removed except by taking the > system down to single-user mode. Yeah, this might be true (I havent looked into the mechanisms of this, are we sure that an attacker can't modify the files through an indirect means?), but as you note these measures need to be specifically enabled and I doubt many people enable such features.. so, on the average system where root privledges can attained in the first place, these options are probably not configured. However, I dont see how this will necessarily help you against files that need to get changed, just as log files and utmp, unless the system just makes an artificial distinction between legitimate changes to the file and human-specified changes.. in which case I'm quite sure that a clever attacker could trick the ever-stupid computer. However for bins such as ps and netstat, you are absolutably correct.. I still prefer tripwire or a similar set up, however because a determined attacker could probably modifiy the disk itself, and while the odds on this being useful for implementing an evil ps or netcat are slim at best, it still leaves me suspicious. This is a good point though, it might be wise to start shipping FreeBSD with important files locked up as the default. Michael J. Graffam (mgraffam@mhv.net) http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc "Enlightenment is man's emergence from his self-incurred immaturity. Immaturity is the inability to use one's own understanding without the guidance of another. . .Sapere aude! Have the courage to use your own understanding!" - Immanuel Kant "What is Enlightenment?" -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBNKwABwKEiLNUxnAfAQGoHAP/Qj3pP0hrYhQFJSf4q1tq1l/gK47e8Kk9 fwQPQmOVxZKMXY4srAEHykW+gULV1WwzxdbTh5afca4BIvz7I5CVeEavW1L20Gzc 11lO4a47S0XPH5ZT+X+BAyV+RHNVJxQ3C9QdBma8dVbXnmxVDIEG4bN22RjSgU5f 03YvQ8Hwi/g= =ULg9 -----END PGP SIGNATURE-----