[CentOS] an actual hacked machine, in a preserved state

Les Mikesell lesmikesell at gmail.com
Mon Jan 2 17:18:44 UTC 2012


On Mon, Jan 2, 2012 at 6:03 AM, Bennett Haselton <bennett at peacefire.org> wrote:
>
> I tried SELinux but it broke so much needed functionality on the server
> that it was not an option.

Pretty much all of the stock programs work with SELinux, so this by
itself implies that you are running 3rd party or local apps that have
write access in non-standard places.  Which is a good start at what
you need to break in.   What apps are those (i.e. the ones that
SELinux would have broken) and if they are open source, have those
projects updated the app or the underlying language(s)/libraries since
you have?

> You
> said SELinux could prevent an exploit from "breaking a process from its
> routine".  But even without SELinux, an attacker who found an exploit that
> could take control of httpd and make it try any action he wanted, still
> wouldn't be able to actually do anything while running as "apache", would
> they?

There have been many, many vulnerabilities that permit local user
privilege escalation to root (in the kernel, glibc, suid programs,
etc.) and there are probably many we still don't know about.  They
often require writing to the filesystem. For example, one fixed around
5.4 just required the ability to make a symlink somewhere.   The
published exploit script (which I've seen in the wild) tries to use
/tmp.  If the httpd process can't write in /tmp, it would fail.

-- 
  Les Mikesell
    lesmikesell at gmail.com



More information about the CentOS mailing list