Mark wrote: > 2): Why is it believed that such a trick will automagically allow an > attacker to execute a self-made program with elevated privileges, like > root?
It's commonly assumed that most UNIX systems have locally-exploitable bugs that permit local users to gain root access. While this is not necessarily true, it is safest to assume that an attacker who manages to get a local shell will eventally get elevated or even root access. > Also, where does the idea come from that a symlink will magically bring > the attacker root access? If .progname.day-of-month were a symlink, then > please, anyone, show me to what sort of file this symlink could point to > that would suddenly allow the attacker to gain root-access? Well, for example, it could point to the ClamAV user's .bashrc file and cleverly manipulating the contents of this file might permit the user to run something as the ClamAV user if the sysadmin makes a careless mistake. Yes, it's tricky. No, it's not science-fiction: Attacks like these do happen in the real world. > Also, on FreeBSD, we set /tmp +t, which means items in /tmp can be renamed > or deleted only by the item's owner. Most modern UNIX systems do that. > In short, I fail to see what the fuss is all about. O_EXCL should have > been there, but it's a minor bug -- especially since the TS initially > failed to realize there was randomness, after all (though it could be > improved upon). I see no realistic possibilities for exploits. But I'm of > course open to hearing how someone thinks a realistic attack could be > mounted with it. The problem is that even seemingly far-fetched vulnerabilities have a nasty history of being exploited in the real-world. You'd be surprised at the creativity of attackers. Regards, David. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
