OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gregor Binder (gbinderSYSFIVE.COM)
Date: Mon Apr 02 2001 - 15:16:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    bscanlanIRISH-TIMES.COM on Mon, Apr 02, 2001 at 06:26:06PM +0100:

    > Next time server reboots (fake a mail from somebody saying the machine
    > needs a reboot, or use a new TCP attack to force a panic, whatever)
    > the machine won't come back up unattended. It is a potential DOS, the
    > original poster wasn't insane or anything. :)

    I totally agree that local exploits of any kind should not be put into
    the "you shouldn't have any interactive users on your server anyway"-bin
    especially not on a so called multiuser system.
    I do think you have a problem when you have no way of attending a reboot
    at the console (personally or through a terminal concentrator), or no
    one to call to do it for you. :)

    OTOH, I think this sort of attack is very interesting. Does anybody have
    a current list of how to protect against those on current UNIX systems?
    Looking at my SunOS7 box, it seems perfectly possible to me that a
    single, unpriviledged user could exhaust the process table (fork bomb).
    This is just by verifying the kernel variables in question, I don't want
    to try that ... the same might go for memory exhaustion (haven't
    checked either) and possibly other resources. Since my system is fully
    patched, and I have applied all currently published Solaris hardening
    documents/tools/etc., I assume this kind of stuff is a market gap ;)

    Then again, it would be hard to make any valid recommendations on how
    kernel variables need to be set to protect against DoS by an unprivi-
    ledged user, since the whole business function of a system might or
    actually should run as an unpriviledged user and be able to use the
    resources if it needs them ... any input welcome

    Regards, 

    -- 
Gregor Binder       <gregor.bindersysfive.com>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (SSF/Unix) Comment: For info see http://www.sysfive.com/

    iD8DBQE6yN4nsSgBwCDG2lURAnI0AKCM19j+lLqBKBdi2gUQqpWNx3MWPwCgg7V9 vlZkPuHZnjtVnDSPtVK0Cz0= =51pH -----END PGP SIGNATURE-----