|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Kill the DOG and win 100 000 DM
From: Jeffrey W. Thompson (thompson
ARGUS-SYSTEMS.COM)Date: Fri Nov 10 2000 - 16:51:31 CST
- Next message: Jay Tribick: "Re: Kill the DOG and win 100 000 DM"
- Previous message: Nikolaou, Dinos: "Re: dos commands via iis 4"
- Next in thread: Lincoln Yeoh: "Re: Kill the DOG and win 100 000 DM"
- Next in thread: Guilherme Mesquita: "Fw: Re: Kill the DOG and win 100 000 DM"
- Maybe reply: Jeffrey W. Thompson: "Re: Kill the DOG and win 100 000 DM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jay,
Given your example the application would be exec'd at the level of the application.
However, all privileges are lost across the exec.
Also, you would need to be able to talk with the process according to MAC rules in
order to attack this. The likely case is that you will be able to attack services
that are available to the public (not backend databases and other more heavily
protected things).
Also, the vast majority of these services should be protected at a MAC label that
does not give them system access.
This will typically leave a very few services on the system that will yield good
access to the system where you could get a breach. Of course, this presumes that
the system was set up in a proper fashion.
With that said, looking for network services that you can remotely attack that are
at different SL's then you are is an excellent way to get different types of access
to the system. The key is that the access will be different, not necessarily
better! :)
In regards to network protection, this is enforced by the kernel so it does not
matter whether a program is label aware or not. It's totally automatic.
Cheers,
Jeff
Jay Tribick wrote:
> Hi,
>
> > To break it down:
> >
> > 1) When you connected from the internet you logged in as beaner. You network
> > connection from the internet was automatically marked at a different level
> > than TS ALL. This was probably Confidential User or something like that.
> >
> > 2) Your MAC level (Con User) will stay with your process and all its children
> > no matter if you become another user or break a setuid program.
>
> Lets say, for example, that there was an application running with an SL
> that dominated the attacking users SL. This application has a remote-exec
> hole (i.e by passing certain commands over the socket, one could cause the
> application to system(3) or exec(3) another program) would the SL of the
> program that was spawned be the SL of the attacking user, or the SL of
> the application from which it was invoked?
>
> (..assuming that the attack was performed by someone locally on the
> machine telnetting to a port on the same box)
>
> > 4) If your process tries to telnet to the local machine its label will be on
> > the stream and will be used in setting up that network connection. This will
> > cause your connection to be at exactly the same level you are at.
>
> Does this assume that the application you're connecting too is label-aware,
> or is it enforced regardless of the application?
>
> --
> Regards,
>
> Jay Tribick
> Senior Systems Engineer
> Carrier1
> Voice: +44 207 531 3874
- Next message: Jay Tribick: "Re: Kill the DOG and win 100 000 DM"
- Previous message: Nikolaou, Dinos: "Re: dos commands via iis 4"
- Next in thread: Lincoln Yeoh: "Re: Kill the DOG and win 100 000 DM"
- Next in thread: Guilherme Mesquita: "Fw: Re: Kill the DOG and win 100 000 DM"
- Maybe reply: Jeffrey W. Thompson: "Re: Kill the DOG and win 100 000 DM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]