Installing a compiler by default
Cefiar
cef at optus.net
Fri Jun 16 03:49:08 BST 2006
On Friday 16 June 2006 09:38, Michael T. Richter wrote:
> On Thu, 2006-15-06 at 13:27 -0400, Shawn McMahon wrote:
> > > But if your target is Ubuntu it will be trivial to work around the lack
> > > of a compiler. You're root - you can just upload one or even apt-get
> >
> > Your target is usually "several million Linux boxes", not "this
> > particular Ubuntu box". You're right that lack of a compiler is very
> > little defense against some guy trying to break into your box; but it's
> > of more use against some guy trying to break into all of them.
>
> How difficult is it to write a script that tries the three major package
> downloading schemes? Something along the lines of:
>
> apt-get gcc
> if that didn't work:
>
> whatever-redhat-uses gcc
> if that didn't work:
>
> whatever-gentoo-uses gcc
All 3 require root on the machine to install in the usual places. You could
possibly install it in a subdir or something (more than just a
simple 'apt-get'), but that's a lot more complex, which is the whole
objective - make it more complex than the usual lowest common denominator -
avoid being the low-hanging fruit.
Remember, these guys go for the biggest win case. If most all systems have
gcc, then why not use this lowest common denominator? Another useful part of
making their job more complex is that then it's more likely they'll make a
mistake in their code, and with any luck it won't do what was intended, or at
least not as well as they expect.
Please note: It's quite possible to write code as a user that can then RUN as
root, assuming that the system is vulnerable via another method (eg: A local
root exploit). Some local root exploits require a fair bit of detail from the
machine in question to run, so compiling the code on the target machine makes
it a bit easier in many cases to do this.
--
Stuart Young - aka Cefiar - cef at optus.net
More information about the sounder
mailing list