On Thu, Jan 11, 2007 at 01:38:09PM -0500, Greg Folkert wrote: > > At one time I had an IRC-Bot on my machine. It was put in /dev/shm/ I > fixed the access issue (it was writable by anyone) > The fact that /dev/shm is world writable is not an access issue anymore than /tmp being world writable. In fact, it is commonly used for inter-process communication amongst *unpriviledged* processes. If you take away its world writable attribute, your programs that depend on POSIX shared memory will fail. > then another one in /tmp/apache-chroot I used for uploads. I turned off > execute for /tmp (made it its own Filesystem for that) > Yup. While that will thwart the most naïve of attacks, put a binary (not a script) in there (something like ls works) and run this: /lib/ld-linux.so.2 /tmp/ls Of course, for scripts you can just use /usr/bin/path/to/interpreter. > Turned out to be a Perl script in Twiki doing the exploit and running > it. > Ouch. Something similar happened to a friend of mine through an upload bug in simplephpblog. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature