Re: Debian Investigation Report after Server Compromises
Dr. MacQuigg writes:
> What is a "sniffed password"
A password gotten by reading each character as it is typed on the keyboard
or by intercepting an unencrypted transmission. In this case it was the
former.
> ...and how do they know the attacker used a password that was "sniffed",
> rather than just stolen out of someone's notebook?
They know whose password it was and that his machine was rooted.
> Was the breakin done remotely, or by someone with physical access to the
> machine or network?
A developer's machine was rooted remotely, his password was sniffed by
reading the keyboard, and the password was used to log into the Debian
machines remotely.
> Are the remote logins to Debian servers unencrypted?
No. They are encrypted using ssh. However, the attacker had a valid
password and username so that didn't help.
> How does an attacker with a user-level password gain root access?
In this case by exploiting a bug in sbrk(). The kernel developers knew
about the bug but did not believe it to be exploitable. They were wrong.
> ...how does a buffer overflow allow root access?
In some cases, by allowing you to overwrite a return address on the stack
of a suid program with the address of your code. This exploit is rather
more subtle than that, evidently.
--
John Hasler
john@dhh.gt.org (John Hasler)
Dancing Horse Hill
Elmwood, WI
Reply to: