[lug] More Redhat worm discussion

[Nate Duehr]

I think the really nasty stuff I've heard about is a combination of
installing something like the lion worm and then using published LOCAL
exploits to get root once you're in as the named user.

The article probably forgoes talking about that as it's kinda obvious
that if you have a local user account you can probably find a way to
break things enough to become root, and two -- if it's from whitehats,
they probably didn't want to give a prescription/script-kiddie method of
gaining root on people's machines.

I'll leave out any mention of specific local buffer overflows available
to anyone who has a normal user account on RedHat -- but they're out
there.

On Mon, Apr 23, 2001 at 03:26:11PM -0600, Gary Frerking wrote:
> At the risk of PETA coming after me for beating a four-legged animal, I 
> came across something interesting while reading an analysis of the Lion 
> worm (one of the recent worms that target Redhat servers).
> 
> The analysis is here:
> 
>    http://www.whitehats.com/library/worms/lion/index.html
> 
> The paragraph that caught my interest is:
> 
> "My worm testing was greatly complicated by my choice of example target 
> platform: a default server install of Redhat 6.2. I thought that it was 
> probably the most popular distribution and version of Linux in use on 
> the Internet. Thus, it would be the best example of a typical worm 
> target. Indeed, the BIND exploit specifically listed Redhat 6.2 as the 
> target platform! However, Redhat does not enable the named service by 
> default. When it is activated (via linuxconf or ntsysv utilities), named 
> is run as user named, such as "named -u named". The only way Redhat 6.2 
> can be vulnerable to the BIND exploit is when the administrator manually 
> adds named to the startup scripts, then intentionally runs it as root by 
> deleting the "-u named" portion of the startup command. After extensive 
> testing, I determined that this was true for all published BIND exploits 
> that claim to affect Redhat 6.2. Then I was convinced that I must have 
> missed something. A very warm thanks goes to Andreas Östling, who 
> described seeing the very same results I had seen and gave me 
> encouragement to continue the analysis."
> 
> So...
> 
> The way I read it, according to this guy you actually have to jump 
> through hoops to make a default installation of Redhat 6.2 vulnerable.
> 
> This obviously doesn't mean the default Redhat 6.2 installation is 
> secure in all respects, but to me it sheds a little light on how this 
> kind of thing is being misrepresented by the press and by word-of-mouth.
> 
> -- Gary
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

-- 
Nate Duehr <nate at natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.