Firosh Ummer wrote: >>Socket hijacking itself is not new - it has been cited in several sources >>on the net. What I find disturbing is how easy it is for an attacker to >>hijack a privileged connection and then insert privileged commands, >>running with very low privileges. >This is an old, old story. I remember reading many years ago about this >kind of attack on NFS. (NFS runs on port 2049.) You're right that it's >an issue, and I don't know of any perfect defense. But then, most Unices >are frankly not very secure against local privilege elevation attacks, >so I wouldn't rely too heavily on standard Unix distributions to prevent >non-root users from getting root anyway. (Maybe I'm alone in that last >sentiment.) This is true. In fact, I wrote a proof-of-concept NFS server in 1996 for this. It simply took over port 2049 for a brief period, and sent a setuid-root copy of /bin/sh over to the client system. Of course it wouldn't work if it was mounted nosuid, but in other cases, anyone executing the shell on the client that had a mounted filesystem from the server running the fake NFS server would become root. Oliver Friedrichs Sr. Manager - DeepSight Symantec, Inc.
This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 09:05:57 PST