OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Daniel Grunblatt (danielgrunblatt.com.ar)
Date: Thu Feb 01 2001 - 14:19:41 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thu, 1 Feb 2001, James Ponder wrote:

    > On Thu, Feb 01, 2001 at 12:17:38PM +0000, Charlie Root wrote:
    > > That's my professional advice, if your system is trojaned or backdoored,
    > > it's too late to worry about root safety, it's already gone.
    >
    > Thanks for your email, it was interesting reading, it was appreciated.
    >
    > However, tell me... Say there was an exploitable vulnerability that gave
    > the attacker root access on your OpenBSD machine - perhaps the recent ftpd
    > bug or something like the recent bind problem. The attacker now has root
    > access and replaces your /usr/bin/su and/or /usr/bin/sudo with their own
    > version that records your password. They disable your checksum integrity
    > checker, perhaps by simply altering it to return the old checksum, or
    > something more complicated like a kernel attack.
    >
    > There might be something else you've installed that would alert you,
    > perhaps remote syslog logging or something, but let's say you don't have
    > that kind of setup (and lets face it, most companies don't, and even if
    > they did, the log doesn't get read).
    >
    > Let's assume the attacker does not launch network-level attacks or that
    > your network is all secure from arp attacks or whatever.
    >
    > The attacker cannot do much. Obviously they can alter all the services
    > on the machine, but that's as far as it goes, your other machines are safe.
    >
    > Now, you want to do some maintenance one day:
    >
    > * If you connect to this machine via ssh and run '/usr/bin/su' you lose your
    > root password to the attacker.
    >
    > * If you connect to this machine via ssh and run sudo, you lose your user
    > account password to the attacker.
    >
    > * If you had logged in as root via ssh, you wouldn't have lost any access
    > details.
    wrong, you lose your root password to the attacker.
    >
    > As pointed out to me, there are mechanisms such as s/key that could be used,
    > but that is a real effort to most people. Plus, you could have many
    > different root passwords, but again, that is a real effort to most people
    > too.
    >
    > So, in this situation, wouldn't ssh to root be better?
    no
    >
    >
    > Best wishes, James
    > --
    > James Ponder; www.squish.net
    >