Re: Debian Investigation Report after Server Compromises

To: debian-user@lists.debian.org
Subject: Re: Debian Investigation Report after Server Compromises
From: Paul Morgan <paulswm@earthlink.net>
Date: Wed, 03 Dec 2003 18:04:12 -0500
Message-id: <[🔎] pan.2003.12.03.23.04.08.247709@earthlink.net>
References: <[🔎] 5.2.1.1.0.20031203101423.032cde10@mail.gain.com>

On Wed, 03 Dec 2003 10:33:34 -0700, Dr. MacQuigg wrote:

> After reading the report at 
> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html 
> and following this newsgroup discussion, I have some very basic questions:
> 
> 1)  What is a "sniffed password", and how do they know the attacker used a 
> password that was "sniffed", rather than just stolen out of someone's 
> notebook?
> 
> 2)  Was the breakin done remotely, or by someone with physical access to 
> the machine or network?  I thought that "sniffing" required physical access 
> to a network over which unencrypted data was being transferred.  Are the 
> remote logins to Debian servers unencrypted?
> 
> 3)  How does an attacker with a user-level password gain root access?  I 
> understand you can call system services that have root access, and provide 
> bad data in those calls that will cause buffer overflows, maybe even a 
> machine crash, but how does a buffer overflow allow root access?  I know 
> there is a deep technical explanation for this, but I'm hoping someone can 
> explain it in simple terms, or maybe point me to a good article or book 
> chapter.
> 
> -- Dave

With regard to your question 3, a buffer overflow exploit is always a
stack exploit and is designed to execute arbitrary code with the called
program's privilege. The way it works: you call a privileged
service/program/function, and you pass it a (precisely designed) parameter
which is bigger than it's expecting. The parameter is put on the stack;
then, when returning (because the parameter is bigger than the max size it
was expecting) it will use the beginning of your big parameter as its
return address. For example: Suppose the parameter has a max size of 512
bytes. You construct a parameter 516 bytes long, the first 4 bytes of
which are a branch to the beginning of the other 512 bytes. Those 512
bytes contain the code to execute a shell, for example, (with, of course,
root privilege).

There's a bit more to it than that, but that's it in (poorly explained)
principle.  If I didn't get it quite right, no doubt those in here smarter
than me will fix it.

-- 
....................paul

"I think that gay marriage is something that should be between a man and
a woman."

-- Arnold Schwarzenegger, Governor of California

Reply to:

Follow-Ups:
- Re: Debian Investigation Report after Server Compromises
  - From: Isaac To <kkto@csis.hku.hk>

References:
- Re: Debian Investigation Report after Server Compromises
  - From: "Dr. MacQuigg" <macquigg@ece.arizona.edu>

Prev by Date: Re: Debian Investigation Report after Server Compromises
Next by Date: Re: Debian Investigation Report after Server Compromises
Previous by thread: buffer-overflow pic - Re: Debian Investigation Report after Server Compromises
Next by thread: Re: Debian Investigation Report after Server Compromises
Index(es):
- Date
- Thread