Difference between revisions of "Summerschool Aachen 2004/Programming Errors Lab"

From C4 Wiki
Jump to: navigation, search
(Example vulnerability on the SRCF)
Line 9: Line 9:
 
-- [[Lisa Thalheim]]
 
-- [[Lisa Thalheim]]
  
===Example vulnerability on the SRCF==
+
==Example vulnerability on the SRCF==
  
 
As I think I mentioned, the [http://www.srcf.ucam.org/ SRCF] has a big
 
As I think I mentioned, the [http://www.srcf.ucam.org/ SRCF] has a big
Line 45: Line 45:
 
created, which was isolated from their normal account, and that could
 
created, which was isolated from their normal account, and that could
 
not run CGIs.
 
not run CGIs.
 +
 +
--[[Steven Murdoch]]

Revision as of 16:37, 22 September 2004

Presentation Summary

Notes from the Lab Session

Notes from Presentations

Metasploit is a nice repository for shellcode, UNIX as well as Windows.

-- Lisa Thalheim

Example vulnerability on the SRCF

As I think I mentioned, the SRCF has a big problem allowing so many users to run CGI and PHP scripts on our webserver. We try to limit the number of insecure scripts by looking for old versions of vulnerable software, but we do not have the resources to check whether user-written scripts are exploitable. What we try to do is stop one user's script from interfering with other user's scripts, and stop attackers from being able to escalate a exploitable CGI into a root exploit.

This approach does not always work and there have been two successful root compromises since 2000. The first was simply getting a user shell using an exploitable CGI (Ikonboard). The attacker then used a ptrace exploit to get root. This was before a patch to the vulnerability has been released. They then installed the SuKIT rootkit.

The more interesting one was where the attacker used site-specific knowledge to get root. It is likely he used a vulnerable CGI to look around the system. What he noticed is that one other vulnerable CGI was written by an ex-sysadmin and so could get access to that account. While that user did not have root access, he did own one old file which was processed by a cron job. This cron job ran as root and did not check for shell metacharacters in the input file (since it was meant to only be written to by sysadmins). The attacker embedded a command in the input file so as to create a root shell when it was processed by the cron job. Fortunately we stopped tha attack before any harm could be done, and we also captured a list of commands he entered. In reaction to this attack we introduced two new policies. Firstly all scripts run as root were audited to ensure that no files writable by non-root users were opened. Secondly each system administrator had a new account created, which was isolated from their normal account, and that could not run CGIs.

--Steven Murdoch