OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [Security Discuss] Re: [Security Announce] MDKSA-2000:077 - apcupsd update
From: celer (celerscrypt.net)
Date: Wed Dec 13 2000 - 09:33:43 CST

To dance on the grave of the dead horse:

As an attacker it would probably not be that hard to get root to stop
the cupsd, triggering the attack. I imagine a little social engineering
would work well. Perhaps a forged mail to root from what appears to be a
valid user, noting that cups is not working. An attack like this is more
plausible for me because I have a co-located server which I have users
paying for shell accounts. To make matters worse I have a user who likes
to test system security, so I have to be fairly watch full.

In fact I can think of times when we have had attackers with
non-privliaged logins when I was helping to support a 3000+ user solaris
setup.

celer

On Tue, 12 Dec 2000, Jay Beale wrote:

> In the wise words of Henrik Edlund:
>
> > And to really beat it even harder;
> >
> > Never let untrusted local user onto your precious servers... There should
> > be no shell accounts (for other than admins) on a machine running as
> > webserver or any other server.
> >
> > Case closed.
>
> The tough thing, Henrik, is that it's not really so simple. There are a
> number of attacks that simply give the attacker a (non-root) shell. They
> may do slightly less, allowing the attacker to execute a single command.
> In any case, even without accounts, an attacker often can run commands as
> a non-root user. From there, their goal will be to escalate privilege up
> to root and/or interactive shell access.
>
> - Jay
>
>