Background:
We recently had a customer's web site suffer an attempted exploit
via one of their cgi scripts. The attempted exploit involved
writing a file into /tmp, then invoking inetd with that file to
get a root shell on a non-standard port. While the exploit
failed, they were able to write the file as user nobody and
invoke inetd. There is not much we can do about that as long
as we permit customers to use their own cgi scripts, which is
a requirement with this type of account.
Issue:
The exploit managed to start inetd, camped on the specified port
but inetd, properly, failed as soon as it tried to start the
service (running as user nobody makes doing setuids difficult :-)
Tests by our staff from the command line indicate that any user
is able to start inetd with a local config file associating a
service with a non standard port. It doesn't WORK but it does
attach to the port. Leading to some DOS possibilities, albiet
not very interesting ones.
Recommendation:
A number of the executables located in /sbin and /usr/sbin are
never going to be invoked for any legitimate use by anyone other
than the superuser. In particular, servers such as portmap and
inetd run by non-root users are unlikely to do what was intended.
It seems a prudent measure to simply not set execute permission
by "other" on such programs during the install, giving the user
a handy "Permission denied" message when such an attempt is made.
For those reading quickly, I am NOT recommending removing execute
permission on ALL of /sbin/* and /usr/sbin/*, only on programs
such as "portmap", "inetd", "lpd", "syslogd", "halt", "reboot"
and others which perform no useful function to normal users.
/sbin/init already enforces this condition, how about expanding it?
/\/\ \/\/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message