Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
31323334353637383940
Solaris 9 Security CX-310-301 37
Privilege Escalation Attacks
Types of Attack
¾ Trojan Horse – As the name implies, this exploit involves installing, or modifying a legitimate
program to perform not only its real actions, but some additional ones too. It is these additional
actions which undermine the security of the system and allow unauthorized access. The attacker
must have already gained access (or have legitimate access) to be able to install a Trojan Horse
¾ Buffer Overflow – This exploit is done through programming where, for example, you store 30
characters in a buffer only defined to take 15. In this case, the stack entries become corrupt
allowing the programmer to introduce new code to be executed at a different return location. The
return code could be a Unix shell with root privileges for example. Some Solaris services suffer
from buffer overflow vulnerabilities, which might be exploited by an attacker, but the majority can
be prevented if current patches are installed on the system. If an attacker has already gained access
to the system, and has access to a compiler, then it is potentially very easy for the attacker to gain
privileged access
¾ Backdoor – This provides an alternative entry point to a system that is not publicly known,
whether it is malicious or accidental. Programmers often leave backdoors in their code to allow
additional debugging, and sometimes forget to take it out when the program becomes operational.
These could simply be the creation of an extra root user through to changing ownership and
permission of say a physical device file to gain access. An accidental backdoor could be exploited
by an intuitive attacker, but normally access has to be obtained first in order to be able to install a
backdoor
¾ Rootkit – A rootkit is an entire package for not only accessing a system, but covering the tracks
once inside. An attacker doesn’t need to be a system expert to use one of these, someone else will
have done all the hard work, the attacker just uses it (rather like a script kiddie). A rootkit will
typically contain utilities to remove log entries for example. Centralized logging negates a lot of
the rootkit functionality. Using a rootkit successfully allows an attacker to remain unnoticed and
then to leave a backdoor for future attacks. It should be noted that the attacker must already have
gained access to the target system in order to be able to install the rootkit
¾ Loadable Kernel Module – A different kind of rootkit where the live running kernel is exploited.
The attacker must first have gained root access and then installs two kernel modules. One of these
installs the utilities needed for the attack and the second makes sure that the loaded modules do
not appear on a modinfo listing, if run by the system administrator
¾ Symbolic Links – Symbolic links (or soft links) are extremely useful, but can also be very
dangerous. A system administrator could unintentionally leave a symbolic link to a root owned
file for example, allowing an attacker instant access to privileged data or programs. An attacker
must already have gained access to the system for this exploit to be used