Lan Barnes wrote: > On Tue, Feb 01, 2005 at 03:53:50PM -0800, John H. Robinson, IV wrote: > > Lan Barnes wrote: > > > > > > > > That shellcode then fires off whatever the atacker wants. Oftimes an > > > > identd that will spawn telnetd or something of the like. The attacker > > > > can then log in whenever he wants, as root. > > > > > > > > > > ???? A script belonging to apache (at best) fires off inetd? I would be > > > quite surprised. > > > > Why not? Write your own inetd.conf, but allocate no ports < 1024. Run > > your own telnetd on an oddball port. I tend to like 3030 :) > > > > You are thinking apache exploits. I am thinking exploits in general. > > > > Okay, let's say we have a vunerable service that allows remote user to > > run arbitray commands (shellcode). We have a *local* service, maybe > > sendmail, that has a root escalation. You use that remote command > > execution to run the shellcode tht triggers the root escalation. Younow > > have remote root. > > > > In your example, sendmail is the locus of the vulnerability.
No. There are two halves: the local root escalation, and the remote arbitrary command. You need both halves in this case to escalate a local root escalation to remote root. Sendmail is not the only program to have root escalation problems. Apache is not the only program to have remote arbitrary commands. This is why you have to keep a look out for both. Most everyone is keenly aware of the need to fix the direct remote-root vulnerabilities. It is less thought of that local root + remote arbitrary command = remote root. -john -- KPLUG-List mailing list [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
