Cursory analysis of a system compromise (due to poor password choice)
On March 9 at 0856 the installation of a Fedora Core 3 system was completed.
System was then set up on a NAT network and patched using updates provided by
the Fedora project. The root password, for convenience, was temporarilly set to
‘password’ as an outside contractor would be setting up some software.
Continue reading BA-2005-01 Cursory Analysis of a System Compromise (due to poor password selection)
Original release date: December 6, 2003
Last revised: December 06, 2003
A complete revision history is at the end of this file.
Debian 3.0 with group ‘staff’ ownership of /usr/local/* and the default path setting in /root/.profile
Low/Medium (Requires access to a local ‘staff’ account)
The default path setting for Debian 3.0 sets priority to /usr/local before its /usr counterpart. Combined with the loose access controls on /usr/local, this could lead to a privilege escalation attack that might yield root access to an attacker.
From: Golden_Eternity [[email protected]] Sent: Friday, June 28, 2002 2:15 PM Subject: RE: Apache worm in the wild Just based on the strings in the .a file, this is my best guess as to what its doing. I haven't tried running it, yet, so my observations are very limited. Hopefully someone will find this interesting. Continue reading BA-2002-01 String-Based Analysis of Apache Chunked Encoding Worm
Original release date: July 22, 2001
Last revised: July 22, 2001
A complete revision history is at the end of this file.
A) Systems running SSH Communications, Inc’s SSH 2 implementation, using the built-in features for user login security.
B-C) Those same systems using SSH 1 compatibility.
Original release date: May 26, 2001
Last revised: May 27, 2001
A complete revision history is at the end of this file.
Any firewall configured to block inbound packets without the ACK bit set.
Low – Enumeration
Any firewall system configured to block (not respond to) inbound packets without the ACK bit set may be vulnerable to an information gathering attack that could reveal a portion of the firewall ruleset and suggest the presence of listening daemons.
From: Golden_Eternity [bhodi@….com]
Sent: Monday, April 23, 2001 12:08 PM
To: ‘BUGTRAQ@….com’
Subject: Non-user accounts assigned shell by default – Red Hat 6.1-7.0,
et al.
SEVERITY: Low
AFFECTED VERSIONS: Confirmed on Red Hat 6.1, 6.2 and 7.0
DESCRIPTION:
The default installation does not assign a shell for most non-user accounts
(e.g. nobody, bin). If no shell is specified for an account, the shell
defaults to /bin/sh.
On its own, this does not pose a significant threat. However, very few of
these accounts require a shell, so there is no reason to grant this extra
privilege. This may violate security policies for granting the minimum
privileges necessary to accomplish a task.
Additionally, the default installation of /etc/shells does not contain a
shell such as /bin/false which would deny login.
Red Hat was contacted about this in June 2000 and has elected not to fix
this problem at this time.
https://bugzilla.redhat.com/show_bug.cgi?id=12409
SOLUTION:
The solution would be to assign these accounts a false shell which will
not permit login, such as /bin/false. This shell could be added to /etc/shells
for use with chsh.
DEMONSTRATION:
[root@roto-router /root]# grep “nobody” /etc/passwd
nobody:x:99:99:Nobody:/:
[root@roto-router /root]# su nobody
bash$
[root@roto-router /root]# grep “xfs” /etc/passwd
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
[root@roto-router /root]# su xfs
[root@roto-router /root]#
—
I apologize if this is not considered a significant enough issue to post
to bugtraq. I debated posting for a while and eventually decided that if
it isn’t, the moderator will kill it. 😉
Since some administrators may not be aware that there is a default shell
for unix/linux accounts, I felt this information could be useful.
Updates to this warning can be found at https://www.bhodisoft.com/Sec/
Original release date: April 23, 2001
Last revised: July 21, 2001
A complete revision history is at the end of this file.
Confirmed on Red Hat 6.1, 6.2 and 7.0
Low
The default installation does not assign a shell for most non-user accounts (e.g. nobody, bin). If no shell is specified for an account, the shell defaults to /bin/sh.