cross-platform virus
John
dingo at coco2.arach.net.au
Mon Apr 10 01:14:40 BST 2006
Daniel Robitaille wrote:
> On 4/8/06, Shawn McMahon <smcmahon at eiv.com> wrote:
>
>>On Sat, Apr 08, 2006 at 10:57:37AM +0800, Senectus . said:
>>
>>> 6. su root
>>> 7. make install
>>
>>If we're going to install viruses, let's do it the "right" way:
>>
>>sudo make install
>
>
> I always wondered about the potential of a problem with sudo in the
> context of a linux virus/worm script. Let's say that "virus" had the
> line "sudo rm -Rf /", and that script/virus was run automatically
> because of an action of the user in an application with a bug/security
> weakness (by reading an email, clicking a link in firefox, whatever).
> Obviously it wouldn't work (sudo needs to ask for a password), unless
> the user had done a sudo command within the last 15 minutes, and the
> sudo command still has a token not to ask for a new password.
>
> Wouldn't making Ubuntu's sudo asking for a password every single time
> instead of the current once-per-15-minutes make the OS more secure
> and immune to this type of simple script with a damaging payload? But
> of course that would be annoying while using sudo in our day-to-day
> usage, but for an increased security I would consider doing it (and
> actually do on one of my system)
sudo's tickets can be tied to a specific tty; while not foolproof, it
makes the use of sudo to do this kind of thing rather problematic,
requiring the victim to
1. Create a new tty (eg open konsole or gnome-terminal)
2. Authenticate using sudo
3. Undo 1.
Only then might the victim be vulnerable.
To exploit the vulnerability, the attacker then needs the attack vector.
Knowledgable users should check their email clients & such to check that
they do not automatically run executable content (some years ago kmail
tried but failed as it didn't do the chmod); if they do, then report it
as a bug and, as needed, argue for it to be fixed.
Note that one does not have to be root to do evil things. Root kits _I_
have seen would have been more effictive if not run as root - buggering
up /bin and /sbin wrongly causes the system to not run and then it's
immediately apparent something's wrong. OTOH quitely installing an IRC
bot as an existing (or maybe new) user may well go undetected for quite
some time.
More information about the sounder
mailing list