Em 19-02-2014 11:19, Dmitrij D. Czarkoff escreveu:
>
> Putting something into LD_PRELOAD is nowhere near hiding it, if not
> completely opposite.
>
> 1. Any competent system administrator will be watching out his
>environment.
>
> 2. The actual assignment should happen somewhere in a fairly lim
Giancarlo Razzolini said:
> Theo, I'm using the word rootkit in the sense I've always knew it, a
> malicious program installed *after *you had gained root access on a
> machine, which it's sole purpose is to maintain the access while ate the
> same time, hiding the fact that it's being done so:
> h
Em 18-02-2014 23:00, Theo de Raadt escreveu:
> This is total balony. The way you are using the word rootkit, it could
> now refer to anything from a gardening shovel or anything else. Very
> very sloppy. In the Unix context, the word rootkit has a very specific
> meaning. You're using the word wron
On 02/18/2014 11:29 PM, Daniel Cegiełka wrote:
https://github.com/freebsd/freebsd/blob/master/contrib/openpam/include/security/openpam.h#L358
It appears to be a way to embed fallback authentication modules in case
the shared library can't be found.
Go on, look at where else OPENPAM_STATIC_M
I'd think the first thing any OpenBSD dev would say - that's not our code,
go ask the maintainers...
Daniel Ceglelka wrote:
> Theo, as a great programmer can you explain to us all what does this
> piece of code? from L351:
>
>
https://github.com/freebsd/freebsd/blob/master/contrib/openpam/include/
2014-02-19 3:32 GMT+01:00 Theo de Raadt :
>>2014-02-17 22:12 GMT+01:00 Miod Vallat :
and of course PAM:
http://blackhatlibrary.net/Hooking_PAM
>>>
>>> Well, there's a reason why OpenBSD does not embed PAM. It has to do with
>>> software giving people enough rope to hang themselves.
>
>2014-02-17 22:12 GMT+01:00 Miod Vallat :
>>> and of course PAM:
>>>
>>> http://blackhatlibrary.net/Hooking_PAM
>>
>> Well, there's a reason why OpenBSD does not embed PAM. It has to do with
>> software giving people enough rope to hang themselves.
>
>PAM its just API. You can write small and simpl
>Em 18-02-2014 14:36, Dmitrij D. Czarkoff escreveu:
>> You perfectly demonstrated your ability to alter the code that will be
>> run with your privileges. Still, it is useless as the injected code
>> will be running with your privileges, so this has no practical output.
>> Either you are able to de
2014-02-18 20:10 GMT+01:00 Dmitrij D. Czarkoff :
> Giancarlo Razzolini said:
>> ... What we are discussing is if it is possible, using
>> LD_PRELOAD, to inject code on the execution of any given programs, and
>> to be able to hide the fact that the machine has a rootkit installed
>> using t
Em 18-02-2014 16:10, Dmitrij D. Czarkoff escreveu:
> So you think that placing rootkit in LD_PRELOAD hides it? I would
> wonder about your definition of revealing then.
It seems to me that you jumped aboard this thread without reading all
e-mails exchanged on it. Of course a rootkit using LD_PRELO
On Tue, Feb 18, 2014 at 06:07:32PM +0100, Daniel Cegiełka wrote:
> cc -shared fake.c -o fake
> LD_PRELOAD=./fake ksh
>
> and type: whoami
Since when does LD_PRELOAD work with relative paths?
But, anyways, why bother with shared libraries and shit.
Try this, it's simpler:
$ whoami() { echo root;
Giancarlo Razzolini said:
> ... What we are discussing is if it is possible, using
> LD_PRELOAD, to inject code on the execution of any given programs, and
> to be able to hide the fact that the machine has a rootkit installed
> using this method.
So you think that placing rootkit in LD_PR
2014-02-18 18:42 GMT+01:00 Giancarlo Razzolini :
> Em 18-02-2014 14:36, Dmitrij D. Czarkoff escreveu:
>> You perfectly demonstrated your ability to alter the code that will be
>> run with your privileges. Still, it is useless as the injected code
>> will be running with your privileges, so this has
Em 18-02-2014 14:36, Dmitrij D. Czarkoff escreveu:
> You perfectly demonstrated your ability to alter the code that will be
> run with your privileges. Still, it is useless as the injected code
> will be running with your privileges, so this has no practical output.
> Either you are able to demonst
Daniel Cegiełka said:
> yes, it is not possible to pledge a trap for user using LD_PRELOAD.
> hmm... definitely I'm wrong!
>
> but I have another example:
>
>
> --- cat fake.c ---
>
> #define print(s) write(1, (s), sizeof(s) - 1)
>
> int getuid() {
> return 32767;
> }
>
> int geteuid() {
Hi Giancarlo,
Maybe I'm totally wrong here:
2014-02-17 20:20 GMT+01:00 Theo de Raadt :
>>2014-02-16 23:36 GMT+01:00 Frank Brodbeck :
>>> I am not sure what point it is you are trying to make but:
>>>
>>> $ LD_PRELOAD=./id0 sh
>>> \u@\h:\w\n$ id -un
>>> root
>>> \u@\h:\w\n$ less /etc/master.passw
Em 18-02-2014 09:00, Daniel Cegiełka escreveu:
> 2014-02-17 20:20 GMT+01:00 Theo de Raadt :
>
> Theo,
> I think went wrong with this topic.
>
> Firstly, I don't know of any vulnerability in order to gain privilege
> (e.g. uid 0) using LD_PRELOAD. I want it to be clearly defined. And
> yes, shown tr
2014-02-17 20:20 GMT+01:00 Theo de Raadt :
Theo,
I think went wrong with this topic.
Firstly, I don't know of any vulnerability in order to gain privilege
(e.g. uid 0) using LD_PRELOAD. I want it to be clearly defined. And
yes, shown trick with LD_PRELOAD was cheap and didn't give any root
rights
2014-02-17 22:12 GMT+01:00 Miod Vallat :
>> and of course PAM:
>>
>> http://blackhatlibrary.net/Hooking_PAM
>
> Well, there's a reason why OpenBSD does not embed PAM. It has to do with
> software giving people enough rope to hang themselves.
PAM its just API. You can write small and simple pam_bsd
On Mon, Feb 17, 2014 at 09:12:53PM +, Miod Vallat wrote:
| > and of course PAM:
| >
| > http://blackhatlibrary.net/Hooking_PAM
|
| Well, there's a reason why OpenBSD does not embed PAM. It has to do with
| software giving people enough rope to hang themselves.
Giving people enough rope to ha
On Mon, Feb 17, 2014 at 10:02:18PM +0100, Daniel Cegie?ka wrote:
[...]
> At least on linux this type of abuse seem to be still (very) effective:
>
> http://blackhatlibrary.net/LD_PRELOAD
> http://blackhatlibrary.net/Azazel
>
> and of course PAM:
>
> http://blackhatlibrary.net/Hooking_PAM
Here's
> and of course PAM:
>
> http://blackhatlibrary.net/Hooking_PAM
Well, there's a reason why OpenBSD does not embed PAM. It has to do with
software giving people enough rope to hang themselves.
2014-02-17 21:49 GMT+01:00 Marc Espie :
> On Mon, Feb 17, 2014 at 07:48:44PM +, Miod Vallat wrote:
>> > Attacks with LD_PRELOAD are very old and can
>> > be performed on any OS where you have dynamic linking (Linux, *BSD
>> > etc.), so yes, OpenBSD is "vulnerable" to th
On Mon, Feb 17, 2014 at 07:48:44PM +, Miod Vallat wrote:
> > Attacks with LD_PRELOAD are very old and can
> > be performed on any OS where you have dynamic linking (Linux, *BSD
> > etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
>
> You forgot to mention
2014-02-17 21:25 GMT+01:00 Theo de Raadt :
>>2014-02-17 20:48 GMT+01:00 Miod Vallat :
Attacks with LD_PRELOAD are very old and can
be performed on any OS where you have dynamic linking (Linux, *BSD
etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
> It actually should reduce the risk for set*id(), but this in the past
> related to CVE-2006-6164 (_dl_unsetenv())?
Yes, and this has been fixed since.
>2014-02-17 20:48 GMT+01:00 Miod Vallat :
>>> Attacks with LD_PRELOAD are very old and can
>>> be performed on any OS where you have dynamic linking (Linux, *BSD
>>> etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
>>
>> You forgot to mention that the value of
2014-02-17 20:48 GMT+01:00 Miod Vallat :
>> Attacks with LD_PRELOAD are very old and can
>> be performed on any OS where you have dynamic linking (Linux, *BSD
>> etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
>
> You forgot to mention that the value of LD_PRE
>And it never was a threat?
>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
>http://www.cvedetails.com/cve/CVE-2006-6164/
Please state your case very carefully and clearly. Right now, you
are not talking facts.
And it never was a threat?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
http://www.cvedetails.com/cve/CVE-2006-6164/
Daniel
> Attacks with LD_PRELOAD are very old and can
> be performed on any OS where you have dynamic linking (Linux, *BSD
> etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
You forgot to mention that the value of LD_PRELOAD is ignored for set*id
executables, in orde
>2014-02-16 23:36 GMT+01:00 Frank Brodbeck :
>> I am not sure what point it is you are trying to make but:
>>
>> $ LD_PRELOAD=./id0 sh
>> \u@\h:\w\n$ id -un
>> root
>> \u@\h:\w\n$ less /etc/master.passwd
>> /etc/master.passwd: Permission denied
>> \u@\h:\w\n$ ls -l /etc/master.passwd
>> -rw---
2014-02-16 23:36 GMT+01:00 Frank Brodbeck :
> I am not sure what point it is you are trying to make but:
>
> $ LD_PRELOAD=./id0 sh
> \u@\h:\w\n$ id -un
> root
> \u@\h:\w\n$ less /etc/master.passwd
> /etc/master.passwd: Permission denied
> \u@\h:\w\n$ ls -l /etc/master.passwd
> -rw--- 1 root w
I am not sure what point it is you are trying to make but:
$ LD_PRELOAD=./id0 sh
\u@\h:\w\n$ id -un
root
\u@\h:\w\n$ less /etc/master.passwd
/etc/master.passwd: Permission denied
\u@\h:\w\n$ ls -l /etc/master.passwd
-rw--- 1 root wheel 3984 Feb 5 22:44 /etc/master.passwd
\u@\h:\w\n$
2014-02-17 15:49 GMT+01:00 Giancarlo Razzolini :
>> Solution: static linking of critical binaries.
>>
>> I hope that my explanation was helpful.
>>
>> best regards,
>> Daniel
>>
> Static linking does solves the issue with this particular rootkit, but
> won't help with kmod rootkits. The truth is t
Em 17-02-2014 10:59, Daniel Cegiełka escreveu:
> 2014-02-17 13:15 GMT+01:00 :
>> On 16. februar 2014 at 10:11 PM, "Daniel Cegiełka"
>> wrote:
>>
>> try this:
>>
>> --- cat id0.c ---
>> int getuid(){return 0;}
>> int geteuid(){return 0;}
>> int getgid(){return 0;}
>> int getegid(){return 0;}
>> --
2014-02-17 13:15 GMT+01:00 :
> On 16. februar 2014 at 10:11 PM, "Daniel Cegiełka"
> wrote:
>
> try this:
>
> --- cat id0.c ---
> int getuid(){return 0;}
> int geteuid(){return 0;}
> int getgid(){return 0;}
> int getegid(){return 0;}
> --- end cut ---
>
> # shell (as normal user):
> id -un
> cc -s
On 16. februar 2014 at 10:11 PM, "Daniel CegieÅka" wrote:try this:
--- cat id0.c ---
int getuid(){return 0;}
int geteuid(){return 0;}
int getgid(){return 0;}
int getegid(){return 0;}
--- end cut ---
# shell (as normal user):
id -un
cc -shared id0.c -o id0
LD_PRELOAD=./id0 sh
id -un
What does th
try this:
--- cat id0.c ---
int getuid(){return 0;}
int geteuid(){return 0;}
int getgid(){return 0;}
int getegid(){return 0;}
--- end cut ---
# shell (as normal user):
id -un
cc -shared id0.c -o id0
LD_PRELOAD=./id0 sh
id -un
best,
Daniel
2014-02-16 22:36 GMT+01:00 :
> Hello!
>
> Came across
39 matches
Mail list logo
