Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

To: gboyce <gboyce@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
From: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>
Date: Thu, 11 Oct 2007 14:14:53 +0100
Cc: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=BvK6M2/Txk436JSLBR3IkE5FPWdgOh5mhq+syxufrF0=; b=e+yb5Jc0NBPc2IqA2fc1HiDUVDfkYDxaZD2PFrA0SU0PcyXCQN1IdTOenpkxeBoe8WdtguurTRWYmoB03wi9gD0Qs2wgEREKZePxd288zJXS3IeY8U6oEQbO1bqlws8XPe+DvISi7FkJXWPFteDdKrtl2d6xVIxJyzqF+msNH5k=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=aVdxJfxk03RCls5IfvHKLZEXXvAqSJwQf5MjYIoEh/TnrdchGdZoAYPDd66gnQqHDEy9xxF0e0XxV1fgesVf1FfuT9yt+E5JvIf/Szfy5435oofoBNtXJVdj8kcOKnuZutXfphXM0d+M4MWxs4jy2dQZmUU0onOmtcrbJxlDQSI=
In-reply-to: <Pine.LNX.4.64.0710110824040.5639@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570710100414m44c105a6u17728b9bbcfb9cf4@xxxxxxxxxxxxxx> <F9C0B32C4FFE7147BD0FF6A40BE806E701AC4E@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <6905b1570710101717v60bf6d40q8e822d850736b796@xxxxxxxxxxxxxx> <Pine.LNX.4.64.0710110824040.5639@xxxxxxxxxxxxxxxxxxxxx>

gboyce, cheers... nice example! although I had something else in mind.
maybe I shouldn't have used the term "security in depth" since your
version differs a bit from mine. I guess different semantics. but yes,
i agree that systems, processes, data, etc needs to be separated and
blended into a balanced mix which as you said, while under attack, it
does not give away the keys to the kingdom.

thanks

On 10/11/07, gboyce <gboyce@xxxxxxxxxxxx> wrote:
> On Thu, 11 Oct 2007, pdp (architect) wrote:
>
> > Thor, with no disrespect but you are wrong. Security in depth does not
> > work and I am not planning to support my argument in any way. This is
> > just my personal humble opinion. I've seen only failure of the
> > principles you mentioned. Security in depth works only in a perfect
> > world. The truth is that you cannot implement true security mainly
> > because you will hit on the accessibility side. It is all about
> > achieving the balance between security and accessibility. Moreover,
> > you cannot implement security in depth mainly because you cannot
> > predict the future. Therefore, you don't know what kinds of attack
> > will surface next.
> >
> > Security is not a destination, it is a process. Security in depth
> > sounds like a destination to me.
>
> The reason for security in depth is precisely because no security controls
> are foolproof.  The point isn't to make a system completely unbreakable,
> but to raise the bar for what is required in order to extend their access
> beyond what they already control.
>
> Lets take a webserver as an example.
>
> Your webserver only requires ports 80 and 443 listening to the world, so
> you deploy a firewall in front of it restricting access to just those
> ports.
>
> A default install of the OS may enable a few other processes bound to
> remote ports like a mail server, portmap, etc.  These processes aren't
> needed on this particular system.  The firewall blocks access to them, but
> firewalls aren't perfect.  The attacker may have found a way to get behind
> it.  So you turn off those unneeded services.
>
> Being a webserver, its running a number of web applications.  Since you
> don't want to place more trust in those applications than you have to, you
> chroot apache and have it run as a non-privledged user.  Hopefully this
> will contain a successful compromise.
>
> But still, the attacker may break out of the chroot, so you make sure that
> you remove setuid applications or at least keep them up to date with the
> latest security updates.  You do your best to keep them from becoming
> root.  But even that may fail.
>
> Assuming all else has failed, this system is completely owned.  But you
> have other systems with even more sensitive information.  So you architect
> your network such that this webserver does not have more network
> prilvedges than it needs.  You filter outbound network connections to
> hopefully block a good portion of botnet command and control functions.
> You block access from this webserver to other systems unless they have a
> need to talk to them.  You implement application level firewalls between
> it and services that it does need to talk to.
>
> THIS is defence is depth.  Its not about perfect security.  Its about
> containing breaches.  Its about blocking unnecessary risks.  Its about
> making sure that a small mistake that you make does not hand over the keys
> to the kingdom.
>
> --
> Greg
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

References:
- Remote Desktop Command Fixation Attacks
  - From: pdp (architect)
- RE: Remote Desktop Command Fixation Attacks
  - From: Thor (Hammer of God)
- Re: Remote Desktop Command Fixation Attacks
  - From: pdp (architect)
- Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
  - From: gboyce

Prev by Date: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Next by Date: CORE-2007-0928: Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server
Previous by thread: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Next by thread: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Index(es):
- Date
- Thread