[CentOS] Another Fedora decision

Thu Feb 5 02:23:52 UTC 2015
Les Mikesell <lesmikesell at gmail.com>

On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote:
>

>>> Most such vulns are against Apache, PHP, etc, which do not run as root.
>>
>> Those are common.  Combine them with anything called a 'local
>> privilege escalation' vulnerability and you've got a remote root
>> exploit.
>
> Not quite.  An LPE can only be used against your system by logged-in users.

Or any running program - like a web server.

> To make a blended attack that can read /etc/shadow from an LPE, you need either SSH access or a remote shell vuln, not an arbitrary file read vuln.  Holes that expose an unintended remote shell are quite a bit rarer than ones that allow a service like Apache to send you any file their non-root account has permission to read.
>
> It’s a bit like calling lightning to find a system where both types of vulnerabilities are available at the same time.

No, you exploit the server application hole to tell you about the
kernel vulnerability.   The last one I saw in the wild involved the
symlink race in the kernel around centos 5.2 or .3 and a struts java
library bug.   But there are people who know what combinations of
vulnerabilities to try.

-- 
   Les Mikesell
     lesmikesell at gmail.com