RE: OpenSSH Vulns (new?) Priv seperation

From: Michal Zalewski (lcamtufat_private)
Date: Wed Jun 26 2002 - 21:11:03 PDT

  • Next message: Chris Ess: "Re: OpenSSH advisory"

    On Wed, 26 Jun 2002, Peter Mueller wrote:
    
    > reducing root-run code from 27000 to 2500 lines is the important part.
    > who cares how many holes there are when it is in /var/empty/sshd chroot
    > with no possibility of root :)
    
    Interesting approach.
    
    This gives the attacker an opportunity to access your system. Exploiting
    local bugs in the kernel aside... using your system for further
    compromises or other behavior of this nature aside... chroot is still not
    a silver bullet. It essentially provides a filesystem level separation -
    but not on every system this means any particular IPC restrictions, for
    example. Having an attacker in the system, no matter what his uid is, is a
    serious problem. The attacker with no direct ability to do rm -rf / or to
    change your webpage would be perhaps considered less serious, but I do not
    buy this argument. If you maintain your system properly and patch it on a
    regular basis, script kiddies are really not that difficult to get rid of.
    Even if you actually get compromised, it is probably better for the kiddie
    to be able to do something terribly evident, so you can know about the
    compromise, restore the data and continue.
    
    Script kiddies rarely have access to exploits for not yet published
    vulnerabilities and so on. It is people with some serious intent and
    skills you should fear, and having one with uid != 0 does not make me feel
    any safer. Sure, privilege separation is an added value - will protect
    clueless people who do not keep up with patches from mass defacements -
    but that's it.
    
    -- 
    _____________________________________________________
    Michal Zalewski [lcamtufat_private] [security]
    [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    =-=> Did you know that clones never use mirrors? <=-=
              http://lcamtuf.coredump.cx/photo/
    



    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 21:27:25 PDT