[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

securelevel and mount_union (fwd)

To: tech@openbsd.org
Subject: securelevel and mount_union (fwd)
From: ark@eltex.ru
Date: Mon, 21 Jun 1999 12:50:05 +0400
Organization: "Klingon Imperial Intelligence Service"

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

from freebsd-security

- -- Begin forwarded message ---
Even on a system well locked-down with schg flags and use of a positive
securelevel, it is possible for an attacker who has gained root to replace
system binaries and cover his tracks through the use of mount_union.
mount_union continues to function normally even on mountpoints with the
schg flag set and while the system is running at securelevel 2.  (Tested
only on -stable, however.)

To exploit this, the attacker can simply create his own version of /bin or
another directory elesewhere in the filesystem and "mount_union
/some/obscure/place /bin". If mount itself is shadowed by a modified
version which conceals the union mounts from the usual status report, it
is quite likely that this could remain unnoticed for some time.  
Meanwhile, modified versions of /usr/bin/login, telnet, ssh, etc. are
quietly recording local and remote passwords...  Tripwire and/or its
associated data files could also be shadowed, further reducing the chance
of detection.

The union mounts will of course disappear upon system shutdown, but even
if the attacker cannot modify fstab or place an entry in the real version
of any of the system startup scripts, this ruse can be reinstated
post-reboot by an entry in root's crontab or login script, or anything
else not set immutable that might execute with root permissions sometime
shortly after reboot.

My suggestion: Either cause a positive securelevel setting to disable
the functionality of mount_union and mount -o union, or disable this
functionality for mountpoints with the schg flag set.  (In the latter
case, the sysadmin must be careful to set the schg flag on all parent
directories of any directory containing files with schg set, as well as
the file's directory)

- -- 
Brian Buchanan                                     brian@CSUA.Berkeley.EDU
- --------------------------------------------------------------------------
FreeBSD - The Power to Serve!                       http://www.freebsd.org

daemon(n): 1. an attendant power or spirit : GENIUS
           2. the cute little mascot of the FreeBSD operating system



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

- -- End forwarded message ---
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBN238vKH/mIJW9LeBAQF5WQP+K5NVTlNNp0BGPeADFC3vJnqvBKPniiss
K1kuuF/0P6/lq2wycxbBq9zDS1GBfuGYVtH6/geD7OglhdQ5WTfA1hDcpj9CHw1G
f4d4mFrXT9XoyWNweYWtvInIPH6vRu5VxHtp9zGbr2ar1fowWdd4OFSx3HZJ0Xbv
2nwPYxV32tI=
=L3bS
-----END PGP SIGNATURE-----

Prev by Date: 2.5 Release/i386 Lockup on /dev/fd0c error
Next by Date: AlphaBIOS + OpenBSD?
Prev by thread: 2.5 Release/i386 Lockup on /dev/fd0c error
Next by thread: AlphaBIOS + OpenBSD?
Index(es):
- Date
- Thread