[GRLUG] Apple did it already (was: Proof of concept)
Michael Mol
mikemol at gmail.com
Fri Apr 6 13:33:26 EDT 2007
On 4/6/07, Greg Folkert <greg at gregfolkert.net> wrote:
> On Fri, 2007-04-06 at 01:22 -0400, Marc Zuverink wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > http://www.symantec.com/security_response/writeup.jsp?docid=2007-040516-4947-99
>
> Heck, Apple did the same thing a few years ago. Except now its been
> tailored. AND its not really a real compromise.
>
> It is the same thing that all "linux" supposed viruseseses are, a
> userland tool. It screws up their (a user's) stuff, and doesn't affect
> the system, no wash and rinse of the machine needed, just the user.
I beg to differ. First, there's no shortage of terminal-access
privilege escalation being discovered every month; It simply doesn't
receive the same preventative care that network services get.
Second, if the user has sudo access, the virus or worm can nab the
same access the user has via a man-in-the-middle attack. And how many
people do you know who grant all privileges to a user via sudo?
Granting "ALL" permissions seems to be the default, as far as sudoers
tutorials go.
Third, there's still LD_PRELOAD, though I forget if that's been patched.
And, of course, there's still issues like whether or not the user is a
member of a powerful group such as disk.
SE Linux is like a firewall that applies to userland activities,
except fewer people have it, and many of those who do run it in
"permissive" mode.
--
:wq
More information about the grlug
mailing list