Re: Debian Investigation Report after Server Compromises
On Wed, 03 Dec 2003 10:33:34 -0700, Dr. MacQuigg wrote:
> After reading the report at
> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html
> and following this newsgroup discussion, I have some very basic questions:
>
> 1) What is a "sniffed password", and how do they know the attacker used a
> password that was "sniffed", rather than just stolen out of someone's
> notebook?
>
> 2) Was the breakin done remotely, or by someone with physical access to
> the machine or network? I thought that "sniffing" required physical access
> to a network over which unencrypted data was being transferred. Are the
> remote logins to Debian servers unencrypted?
>
> 3) How does an attacker with a user-level password gain root access? I
> understand you can call system services that have root access, and provide
> bad data in those calls that will cause buffer overflows, maybe even a
> machine crash, but how does a buffer overflow allow root access? I know
> there is a deep technical explanation for this, but I'm hoping someone can
> explain it in simple terms, or maybe point me to a good article or book
> chapter.
>
> -- Dave
With regard to your question 3, a buffer overflow exploit is always a
stack exploit and is designed to execute arbitrary code with the called
program's privilege. The way it works: you call a privileged
service/program/function, and you pass it a (precisely designed) parameter
which is bigger than it's expecting. The parameter is put on the stack;
then, when returning (because the parameter is bigger than the max size it
was expecting) it will use the beginning of your big parameter as its
return address. For example: Suppose the parameter has a max size of 512
bytes. You construct a parameter 516 bytes long, the first 4 bytes of
which are a branch to the beginning of the other 512 bytes. Those 512
bytes contain the code to execute a shell, for example, (with, of course,
root privilege).
There's a bit more to it than that, but that's it in (poorly explained)
principle. If I didn't get it quite right, no doubt those in here smarter
than me will fix it.
--
....................paul
"I think that gay marriage is something that should be between a man and
a woman."
-- Arnold Schwarzenegger, Governor of California
Reply to: