On 18 August 2013 20:56, kizito Mudambo <[email protected]> wrote: > @ william Kibira, for the linux part, i dont think it would be as easy as > that given the fact that linux handles executables or any thing that can be > excuted in a different manner...
If I have to take a guess at how the exploit works, it's probably some buffer overflow exploit in the parsing. The problem here is that since the code is injected into an already-running process, the usual Linux failsafes at the file system level (requiring executable bit to run, etc.) are bypassed. As you say, the rogue code *should* not be able to do anything a normal unprivileged user cannot do, but that's still a lot. Think about it. The user's home directory is compromised. Documents, saved passwords, session cookies... AND, notice the word "should". Since the mobile partner needs to access a hardware device, it does need some privileges a normal user doesn't have. The proper way to do it is to add the user to the dial-out group, and have the device nodes owned by the same. The less proper way is to start the program with root privileges, grab access to the dongle, and then drop all privileges. The horribly improper way would be simply to run the whole thing as root altogether. Since I don't use the mobile partner software for Linux, I don't know under which category this software falls. It does sound like a badly designed piece of software, though, so I'm not hopeful... In either case, the home directory is at risk, and there are loads of things an attacker could do there. It would be a simple matter for an attacker to edit .bashrc, prepend a path to the exec environment, and then write a replacement sudo script which intercepts the password and sends it back to the attacker. It would be an even simpler matter to install a malicious browser add-on which intercepts every password entered. The possibilities are endless, given a careless user. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
