on Wed, Dec 03, 2003 at 10:33:34AM -0700, Dr. MacQuigg (macquigg@ece.arizona.edu) wrote:
> After reading the report at
> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html
> and following this newsgroup discussion, I have some very basic questions:
>
> 1) What is a "sniffed password", and how do they know the attacker used a
> password that was "sniffed", rather than just stolen out of someone's
> notebook?
Through the grapevine: a DD's personal system or another remote system
he used was cracked. His password(s) were sniffed from this. His own
personal security practices were less than stellar, by his own
admission. My understanding is that this was the route by which Debian
Project boxes were compromised.
> 2) Was the breakin done remotely, or by someone with physical access to
> the machine or network?
In the case of the first system(s), this isn't fully clear.
> 3) How does an attacker with a user-level password gain root access?
Through a local root exploit, as is clearly described in the
announcement quoted in URLs above, using the kernel brk() buffer
overflow.
A proof-of-concept exploit (it crashes but doesn't root a system) has
been posted to BugTraq.
> I understand you can call system services that have root access, and
> provide bad data in those calls that will cause buffer overflows,
> maybe even a machine crash, but how does a buffer overflow allow root
> access?
It can. In this case, it did. Briefly: you're messing with kernel
memory space. That's stuff in ring 0, running with full system privs.
You do the math.
See BugTraq for more info.
http://www.securityfocus.com/archive/1/346180/2003-12-01/2003-12-07/0
http://www.securityfocus.com/archive/1/346175/2003-12-01/2003-12-07/2
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
http://sco.iwethey.org/
Attachment:
pgpoEoPngHS9G.pgp
Description: PGP signature