[lug] root password
bgiles at coyotesong.com
bgiles at coyotesong.com
Thu Aug 3 13:38:32 MDT 2006
An apache exploit, e.g., that mod_ssl one a few years ago, will get you a
local process. That local process can attempt local, not remote, root
exploits. It can also cause damage as a regular account, e.g., setting up
a DDOS or spam server.
Given root access, you don't need to crack /etc/shadow. You just replace
a critical file or two and hope that nobody notices. /bin/login,
/bin/passwd, add a new PAM module,....
This isn't all theoretical -- one of the Red Hat systems I inherited a
while back had been compromised by several different parties. The most
recent one had used mod_ssl to insert an IRC server, but fortunately
nothing else. An earlier exploit had replaced /etc/passwd so it would
send off a message with your new password every time you changed it. It
was fun to explain to my boss that I had found clear evidence of at least
three separate - and successful - attacks.
Bear
More information about the LUG
mailing list