-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll Sent: donderdag 3 januari 2008 19:28 To: ClamAV users ML Subject: Re: [Clamav-users] Clam bugs/vulns (was Re: Tomasz, you're an id iot, and you don't even know it)
> Mark wrote: > > 2): Why is it believed that such a trick will automagically allow an > > attacker to execute a self-made program with elevated privileges, like > > root? > It's commonly assumed that most UNIX systems have locally-exploitable > bugs that permit local users to gain root access. While this is not > necessarily true, it is safest to assume that an attacker who manages > to get a local shell will eventally get elevated or even root access. I agree. :) But the TS was talking (loudly) not about the general, but claimed risks in the specific -- risks which I still deem exceedingly remote on a properly configured system. > > Also, where does the idea come from that a symlink will magically > > bring the attacker root access? If .progname.day-of-month were a > > symlink, then please, anyone, show me to what sort of file this > > symlink could point to that would suddenly allow the attacker to gain > > root-access? > Well, for example, it could point to the ClamAV user's .bashrc file > and cleverly manipulating the contents of this file might permit the > user to run something as the ClamAV user if the sysadmin makes a > careless mistake. Yes, it's tricky. No, it's not science-fiction: > Attacks like these do happen in the real world. Well, if the admin had clamav's ~/.bashrc world-writeable, then that would indeed be quite an oversight. :) Also, my clamav user does not even have shell access (it's just an existing user account without any valid shell defined, like the nobody user for Apache, or the mysql user), so good luck with that, attacker. > The problem is that even seemingly far-fetched vulnerabilities have a > nasty history of being exploited in the real-world. You'd be surprised > at the creativity of attackers. No contest, either. I'll remain vigilant, of course; yet, I still think the TS's mouth was writing checks his 'evidence' can't cash. Regards, - Mark _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
