Date: Tue, 18 Feb 1997 23:51:50 -0600 (CST) From: "Thomas H. Ptacek" <tqbf@enteract.com> To: cys@mailhost.wlc.com Cc: tqbf@enteract.com, freebsd-security@freebsd.org Subject: Re: Security problem in FreeBSD /sbin/init Message-ID: <199702190551.XAA12266@enteract.com> In-Reply-To: <199702190351.TAA01277@cwsys.cwent.com> from "Cy Schubert" at Feb 18, 97 07:50:52 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> I don't think this is a security problem since /sbin/init has permissions > of 500 and /etc/ttys has permissions of 644. You're missing the point. This is not a "get-root" bug. This is a vulnerability that will allow an intruder that has already gained illicit root access to evade "securelevels", which, among other things, prevent modifications to the running kernel and to critical system binaries by root. The status of the files are irrelevant unless they're immutable. Many, many systems (several of mine included) rely on this mechanism to ensure that, even if root is somehow comprimised, the system cannot be transperantly modified to permit indefinite, undetectable future access by the attacker. Code exists and is being circulated that will allow intruders to circumvent virtually every publically-available method of intrusion detection; an attacker that controls the running kernel can prevent the maintainers of the system from verifying it's integrity, even cryptographically, without physically removing the storage media and mounting it in a "clean" machine. Obviously, it's fairly important that this be fixed immediately, and that word is spread immediately so that people who have taken these measures to protect their systems are aware of the potential for silent comprimise. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702190551.XAA12266>