If we have access to another user ~/ why installing root kit and not use some trivial attack ? like path attack as example or clean exec ? installing a root kit on monitored system will yell alarms. as i previously said if we have access to another user ~/ we have full access to all privileges that this user have. the main issue here is how we get access to the user ~/ about the local virus .. in the example given by the author we compromise the user A which have sudo to root if we have knowledge of the target system we can easily make automated program that compromises other users accounts but .. /there is always but/ in order to compromise other users we will need bigger privs than the user that we attack or some system wide exploit /which is sort of bigger privs/. then if we have those privs why bothering writing a automated program and not compromise them at once ? the only scenario that this is useful is if we have a user A which can execute commands in the context of a user B which can execute commands in context of root in that case if we have a way to compromise user A's ~/ then we can make some automated program that gathers information ,even have some predefined logic about handling some commands enabled in /etc/sudoers, and then exploit it. but thats a very rare case. p.s. sudo to root without pass ... c'mon you have to be kidding me, right ? Javor Ninov aka DrFrancky drfrancky[shift + 2]securax.org securitydot.net Steven M. Christey wrote: >> So, in other words, all you need in order to get root access is a >> rootkit, your shell script, and root access? Ummm... I don't get it. > > I was also confused by this. However, one guess is that by > compromising an unprivileged account and creating command aliases to > run trojaned su and sudo programs, the attacker can hopefully gain > access to another account, then another, etc. By using these sudo > "privilege chains" the attacker might eventually obtain root access. > > This attack would be slightly virus-like in behavior, although local > to the system. And it might accomplish less, and more slowly, than if > the attacker used some other means to determine the explicit su/sudo > relationships and exploit them directly (e.g. sudo -l to list allowed > commands?) And this attack sounds like it's entirely dependent on > whether or not such a chain even exists on the system. Insert > standard text about the likelihood of easier attack vectors here. > > Just a guess, though. Interesting notion of a local-only "virus" to > compromise users on a multi-user system, although it seems like just > another way to exploit trust relationships once you've gained access > to a local account. > > - Steve
Attachment:
signature.asc
Description: OpenPGP digital signature