On Thu, 3 Mar 2005, Adrian Phillips wrote: > >>>>> "Jim" == Jim Carter <[EMAIL PROTECTED]> writes: > > Jim> If a very sharp hacker "gets root" on the UML guest, he can...
> Jim> chroot jail, he can import statically linked tools (using > Jim> ports that have to be open for the guest's mission) and > Jim> perpetrate the same 'sploit against the host. The jail makes > Jim> this harder but not impossible. > > Okay, this lost me. "import statically linked tools (using ports ...)" > - what does this mean ? A cracker can run arbitary code as the uml > user running the uml (inside the chroot). Are you then suggesting he > could use exploitable daemons running on the host to obtain additional > "tools" within the chroot ? No, the tools come first, and then the attack on vulnerable daemons or, more likely, the kernel itself. Generally the hacker puts together one or more little programs that perform the exploit, and imports them to the victim host. In the case of a virus, the "tools" are often included in the payload, but a number of viruses download additional software from the mother ship or from another infected host, keeping the payload small and less likely to be spotted. If the guy knows how to make life easy for himself, he can use the UML to do the TCP/IP transport and store his materials, only influencing the host itself when he's ready. And then the tools wouldn't have to be statically linked; he would use the libraries in the UML. For kernel vulnerabilities, I'm thinking of the MTRR problems from August or September 2004. But there are plenty of patch reports for daemon vulnerabilities that are accessible only to local users, i.e. the UML special user. If the user has to open a local UNIX-domain socket, that would not be visible in the chroot jail, but if it's a port listened to only locally, chroot doesn't affect ports. Zot. James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: [EMAIL PROTECTED] http://www.math.ucla.edu/~jimc (q.v. for PGP key) ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ User-mode-linux-user mailing list User-mode-linux-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user
