On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote:>>>> Most such vulns are against Apache, PHP, etc, which do not run as root. >> >> Those are common. Combine them with anything called a 'local >> privilege escalation' vulnerability and you've got a remote root >> exploit. > > Not quite. An LPE can only be used against your system by logged-in users.Or any running program - like a web server.> To make a blended attack that can read /etc/shadow from an LPE, you need either SSH access or a remote shell vuln, not an arbitrary file read vuln. Holes that expose an unintended remote shell are quite a bit rarer than ones that allow a service like Apache to send you any file their non-root account has permission to read. > > It?s a bit like calling lightning to find a system where both types of vulnerabilities are available at the same time.No, you exploit the server application hole to tell you about the kernel vulnerability. The last one I saw in the wild involved the symlink race in the kernel around centos 5.2 or .3 and a struts java library bug. But there are people who know what combinations of vulnerabilities to try. -- Les Mikesell lesmikesell at gmail.com
> On Feb 4, 2015, at 7:23 PM, Les Mikesell <lesmikesell at gmail.com> wrote: > > On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: >> >> An LPE can only be used against your system by logged-in users. > > Or any running program - like a web server.That?s not what LPE means. ?L? = ?local?, meaning you are logged-in interactively to the server, or have the ability to execute arbitrary commands remotely, which comes to the same thing. The only way Apache can be used in conjunction with an LPE to provide root access is via something like Shellshock. I?m not saying LPEs, remote shell attacks, and arbitrary command execution vulnerabilities do not exist. I?m pointing out that each of these classes of vulnerabilities are rare on their own, and rare times rare equals scarce. There?s no such thing as absolute security. There is only better and worse; somewhere along that continuum is a point labeled ?sufficient.? Policies like the one we?re arguing over merely attempt to set a sane minimum level.
On Wed, Feb 4, 2015 at 8:43 PM, Warren Young <wyml at etr-usa.com> wrote:>> On Feb 4, 2015, at 7:23 PM, Les Mikesell <lesmikesell at gmail.com> wrote: >> >> On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: >>> >>> An LPE can only be used against your system by logged-in users. >> >> Or any running program - like a web server. > > That?s not what LPE means. ?L? = ?local?, meaning you are logged-in interactively to the server, or have the ability to execute arbitrary commands remotely, which comes to the same thing. > > The only way Apache can be used in conjunction with an LPE to provide root access is via something like Shellshock.The instance I saw used a java web server, but server bugs that allow allow execution of arbitrary commands have been fairly numerous - shellshock might have worked too. And that's all you need to turn what you thought was a local vulnerability into a remote one. -- Les Mikesell lesmikesell at gmail.com