[GRLUG] Apple did it already (was: Proof of concept)

Greg Folkert greg at gregfolkert.net
Fri Apr 6 14:18:14 EDT 2007 

On Fri, 2007-04-06 at 13:33 -0400, Michael Mol wrote:
> On 4/6/07, Greg Folkert <greg at gregfolkert.net> wrote:
> > On Fri, 2007-04-06 at 01:22 -0400, Marc Zuverink wrote:
> > > http://www.symantec.com/security_response/writeup.jsp?docid=2007-040516-4947-99
> >
> > Heck, Apple did the same thing a few years ago. Except now its been
> > tailored. AND its not really a real compromise.
> >
> > It is the same thing that all "linux" supposed viruseseses are, a
> > userland tool. It screws up their (a user's) stuff, and doesn't affect
> > the system, no wash and rinse of the machine needed, just the user.
> 
> I beg to differ.  First, there's no shortage of terminal-access
> privilege escalation being discovered every month; It simply doesn't
> receive the same preventative care that network services get.

Sure thing, having "root" access is a bad thing in the hands of a
complete idiot. Most of your terminal priv escalation is due to
programmers not understand what suid and guid are all about. Many also
do not understand how to wrap these properly. In fact most rpoblem come
from when people transfer "good practices " from a Windows environment
to a *NIX environment. Problems are going to occur.

> Second, if the user has sudo access, the virus or worm can nab the
> same access the user has via a man-in-the-middle attack. And how many
> people do you know who grant all privileges  to a user via sudo?
> Granting "ALL" permissions seems to be the default, as far as sudoers
> tutorials go.

Yeap, and how many users actually understand sudo to use it from a
command prompt? In fact, sudo is a userland utility to give super user
access. If the user stupidly uses it, do they deserve it? No.

> Third, there's still LD_PRELOAD, though I forget if that's been patched.

LD_PRELOAD depends on you specific environment. True, many user don't
even begin to understand why its bad to just "do, without thinking", I
once gave a command line to a person that thoroughly understood tcsh, or
so he said.

It was for his "server at home", I told him to not run it as it would
bind the machine right up with runaway loops. He ran it anyway, because
he couldn't see the issue in it. 

> And, of course, there's still issues like whether or not the user is a
> member of a powerful group such as disk.

Being a part of "disk" means they have changed something. And are
completely at the mercy of their stupid mistakes. I have zero sympathy
for people shooting their own foot.

> SE Linux is like a firewall that applies to userland activities,
> except fewer people have it, and many of those who do run it in
> "permissive" mode.

It's their own fault, not understanding what or why they are doing
things. People just want answers, without learning. They just want it to
work, without care or consequence. That is until they lose everything or
are severely compromised and they are literally "wiped out" due to ID
theft or "logging in to PayPal" to clear up a "disabled account"
problem. Stupid is as stupid does, especially when related to
computers. 

Or, that HOW-TO you just read makes serious bling-bling on your
computer... amazingly your credit-card is at max credit limit now and
your ATM card just had a $300 purchase.
-- 
greg, greg at gregfolkert.net

Novell's Directory Services is a competitive product to Microsoft's
Active Directory in much the same way that the Saturn V is a competitive
product to those dinky little model rockets that kids light off down at
the playfield. -- Thane Walkup

More information about the grlug mailing list