Results 1 to 3 of 3

Thread: Linux IDS Vulnerablility

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Linux IDS Vulnerablility

    Linux-Intrusion Detection System vulnerability

    The use of LD_PRELOAD can make a program with privileges given by LIDS execute attackers code. This mean that a root intruder can get every capability or fs access you configured LIDS to grant.Moreover, if you granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could deactivate LIDS and thus, access any file.


    LIDS Advisory 1
    ================
    -------------------[BUG #1]-------------------------

    Severity : CRITICAL
    Discovery : Stealth
    Original advisory :
    http://www.team-teso.net/advisories/...visory-012.txt

    Description :
    - -------------

    The use of LD_PRELOAD can make a program with privileges given by LIDS execute attackers code. This mean that a root intruder can get every capability or fs access you configured LIDS to grant. Moreover, if you granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could deactivate LIDS and thus, access any file.

    In some configurations, this also lead to users being able to become root. (there must be a program granted CAP_SETUID which is not setuid)

    Systems affected :
    - ------------------

    Every LIDS patch whose version is lower or equal to 1.1.0 for 2.4 series Every LIDS patch whose version is lower or equal to 0.11.0pre1 for 2.2 series

    You can find a Little shell script here to see that you are vulnerable :
    http://www.lids.org/download/test-lids.sh
    http://www.lids.org/download/test-lids.sh.asc
    Remember that it's only a silly test that do obvious things and that those tests may fail if it is not run in the context I wanted it to be run.

    Solution :
    - ----------

    For 2.4 users :
    http://www.lids.org/download/lids-1....-2.4.16.tar.gz
    http://www.lids.org/download/lids-1.....16.tar.gz.asc

    For 2.2 users :
    Use the patch against 0.10.1 :
    http://www.lids.org/download/LIDS-se...2.2.20.diff.gz
    http://www.lids.org/download/LIDS-se...20.diff.gz.asc

    0.11.0pre2 version is not vulnerable but it is broken.
    -------------------[BUG #2]-------------------------
    Severity : CRITICAL
    Discovery : Phil

    Description:
    - ------------
    Programs launched before LIDS is sealed keep full CAPS after the sealing. We could imagine a shell code that make a daemon from pre-sealing era deactivate LIDS using CAP_SYS_RAWIO or CAP_SYS_MODULE.

    Systems affected :
    -------------------
    Same as BUG #1

    Solution :
    -------------------
    Same as BUG #1

    -------------------[BUG #3]-------------------------
    Severity : CRITICAL
    Discovery : Stealth

    Description:
    - ------------
    Program in a shell Script which inherit LIDS capability/acls can be redirect to other evil program using PATH, ALIAS etc. That evil program can also gain that capability/acls from its parent -- the shell script.

    This bugs is as severity as BUG #1.

    Systems affected :
    - ------------------
    Same as BUG #1

    Solution :
    - ------------------
    Same as BUG #1

    - -----------------

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    sweet!!! thanx for the info...

    but I'm suprised you still dont know about the etherbunny s0nic!
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  3. #3
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    hahaah i swear! i dunno what the etherbunny is!!
    can u explain to me what the etherbunny is??? coz its really buggin me.. lolz

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •