Hosting Provided By

Re: Insecurities in Non-exclusive Scoket Binding

From: Oliver Friedrichs <oliver_friedrichs(at)symantec.com>
Date: Tue Mar 11 2003 - 11:38:44 EST

Firosh Ummer wrote:
>>Socket hijacking itself is not new - it has been cited in several sources

>>on the net. What I find disturbing is how easy it is for an attacker to

>This is an old, old story. I remember reading many years ago about this

This is true. In fact, I wrote a proof-of-concept NFS server in 1996 for this. It simply took over port 2049 for a brief period, and sent a setuid-root copy of /bin/sh over to the client system. Of course it wouldn't work if it was mounted nosuid, but in other cases, anyone executing the shell on the client that had a mounted filesystem from the server running the fake NFS server would become root.

Oliver Friedrichs
Sr. Manager - DeepSight
Symantec, Inc. Received on Tue Mar 11 12:06:22 2003

This message: [ Message body ]
Next message: P. S.: "Dynamically Debugging for Security Bugs -- a useful tool ?"
Maybe in reply to: Firosh Ummer: "Insecurities in Non-exclusive Scoket Binding"
In reply to David Wagner: "Re: Insecurities in Non-exclusive Scoket Binding"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:46 EDT