On Wed, 2003-12-03 at 11:33, Dr. MacQuigg wrote: > After reading the report at > http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html > and following this newsgroup discussion, I have some very basic questions: > > 1) What is a "sniffed password", and how do they know the attacker used a > password that was "sniffed", rather than just stolen out of someone's > notebook? (NOTE: I am by no means an expert on any of this, so don't take this as a definitive answer on the subjects.) I'm not sure of the specifics of how the attacker obtained the passwords, but you can "sniff" a password both over a network connection as well as locally. For example, using a keystroke logger, you could get the password as a user was typing it in. > 2) Was the breakin done remotely, or by someone with physical access to > the machine or network? I thought that "sniffing" required physical access > to a network over which unencrypted data was being transferred. Are the > remote logins to Debian servers unencrypted? From what I understood of the description, I had thought that it was done remotely. All of the Debian servers, as far as I know, only allow ssh (encrypted) connections. I don't think any of them will allow a regular old telnet connection which would send the password out in the open. > 3) How does an attacker with a user-level password gain root access? I > understand you can call system services that have root access, and provide > bad data in those calls that will cause buffer overflows, maybe even a > machine crash, but how does a buffer overflow allow root access? I know > there is a deep technical explanation for this, but I'm hoping someone can > explain it in simple terms, or maybe point me to a good article or book > chapter. Well, in the case of buffer overflows, here's basically what happens: Lets say memory blocks 1 - 100 are reserved for a program called myprogram. If that program doesn't do appropriate checking, it's possible to feed it enough data that it'll start writing in addresses beyond 100. (Say if you pass it 100 "blocks" worth of data, blocks 101 through 110 would end up being put into unprotected memory.) In this case, it's possible to send malicious executable code into those memory addresses that could then be executed by the system letting you do just about anything you want such as giving you root access. Buffer overflows are by no means the ONLY way to go about this, but they've received a lot of attention in the last year or two in various arenas. -- Alex Malinovich Support Free Software, delete your Windows partition TODAY! Encrypted mail preferred. You can get my public key from any of the pgp.net keyservers. Key ID: A6D24837
Attachment:
signature.asc
Description: This is a digitally signed message part