Re: 3 pigs building web servers? hacker wolf?

From: ghandi (ghandiat_private)
Date: Mon Jun 18 2001 - 23:29:30 PDT

Next message: Rick Who Else?: "Re: Identifying Machines"

Previous message: Joe Klein: "What is your policy on customers particapating in a pen test?"
In reply to: Robert Shea: "3 pigs building web servers? hacker wolf?"
Next in thread: Riley Hassell: "Re: 3 pigs building web servers? hacker wolf?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 18 Jun 2001, Robert Shea wrote:

> Is anyone at all familiar with the BrickServer system?
> (http://brickserver.com/) I have looked over their site and the whole
> thing looks pretty questionable, but a new client of ours runs it. I
> have only been able to find the thttp DOS issue.
>
> thank you,
> robert
>

There are several problems with the BrickServer system.  The version of
thttpd shipped with it has several more issues including web directory
listings (http://www.example.com/%2e%2e/), including cgi-bin
(http://www.example.com/%2e%2e/cgi-bin/) and arbitrary file disclosure
(http://www.securityfocus.com/bid/1737).  Of course, the files that can be
read are subject to the Process-Based Security ACLs.  But, as the
webserver process needs to read .htpasswd files and cgi scripts, those are
readable and can be leveraged to gain further access.  Process-Based
Security fails when the security of the process is weak.

On the system, many things run as UID = 0 (root), but are limited by the
PBS Access Control Lists.  From shell access to the system, there used to
be at least a couple ways to bypass PBS.  IIRC, /proc tricks were used
back when SAGE had a hack-for-cash challenge.  I wouldn't be surprised if
there were still a couple of ways a UID = 0 process could escape the
restrictions of PBS.  Have they wrapped EVERY system call or entry point?
Not even Trusted Solaris got them all.  From their white paper (URL
below), it seems that the ACLs are defined on a process name or path,
there may be a way to fool this.  I would investigate procfs, signals,
mknod, chroot, exec (where file, path != argv[0]), etc.

Their white paper on PBS is at http://www.3rdpig.com/white%20paper.zip.
Note their confusion on the difference between memory leaks and buffer
overflows.  Anyway, the last version of the system I used was at DEF CON
7, so things may have changed a bit.  It would be nice if their Linux
kernel patches were released for peer review, but unfortunately that is
not the case.

--
	   ghandi / ghandiat_private / www.dopesquad.net
       "Bein' Crazy is the least of my worries." - Jack Kerouac
	  C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F

Next message: Rick Who Else?: "Re: Identifying Machines"
Previous message: Joe Klein: "What is your policy on customers particapating in a pen test?"
In reply to: Robert Shea: "3 pigs building web servers? hacker wolf?"
Next in thread: Riley Hassell: "Re: 3 pigs building web servers? hacker wolf?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 14:26:57 PDT