Re: caps in elf headers: use the sticky bit!

Theodore Y. Ts'o (tytso@mit.edu)
Fri, 16 Apr 1999 00:36:57 -0400 (EDT)


Date: Fri, 16 Apr 1999 13:48:09 +1000
From: Richard Gooch <rgooch@atnf.csiro.au>

> So if I can manage to hack into one of your machines, (say, the one
> which is running the sendmail that didn't get updated to fix the
> sendmail security bug of the week) I get to break into all of the
> rest?!?

Exactly how does hacking a client mean that all clients are
compromised? The NFS area can be exported read-only to prevent this.

The attacker breaks into any one of the machines, breaks root, and then
carries out an active attack on the network to insert trojan horse
attack code into a setuid executable (or some executable which will be
run by root) that's flying by the network via NFS. It's typically
relatively easy to do something remotely to trigger the client machine
to run some binary over the NFS. (And you really don't care which
binary; the attack program just has to notice that it is an executable,
and then you insert your trojan horse program instead the real thing.)

Since NFS as commonly used by 99.97% of all sites, including 100% of all
Linux machines, don't have any cryptographic integrity protection, the
client machine will never know this happened, and blithly execute the
trojan horse executable without knowing what hit it.

This is not a hypothetical attack; if my memory serves me correctly, it
was Ian Goldberg, from UC Berkely's ISAAC (Internet Security,
Applications, Authentication, and Cryptography) research group who
demonstrated that this is a lot easier to do than most people think.
(There are some games you can play with arps that makes this sort of
thing even easier. Details are left as an exercise to the reader; I
don't want to make it *too* easy for any black hats listening in. :-)

The bottom line is that if you want to be secure, system software
**really** should be installed on local disk, and not imported via NFS.
Disk space is cheap these days. You can afford to put your system
software on local disk --- trust me, you really can't afford not to.

- Ted

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/