On Fri, 11 Mar 2005, Eygene A. Ryabinkin wrote:
>> $ globus-job-run ce001.m45.ihep.su:2119/jobmanager-fork /bin/ls -l
>> /usr/bin/ssh
>> -r-s--x--x 1 root root 273832 Sep 17 2003 /usr/bin/ssh
>> The first one doesn't need comment, I think. The second one is quite
>> suspicious - there is no reason for ssh client to be setuid root.
> Actually, there is: for openssh < 3.3 ssh IS setuid to make rhosts and
> hostbased auth work.
Unfortunately, this is not the case:
$ globus-job-run ce001.m45.ihep.su:2119/jobmanager-fork /bin/rpm -qi openssh-clients | grep -i version
Version : 3.6.1p2
> One possible breakin path is via stock sendmail in RH 7.3 that gives you
> local root. At least for LCG-2.2.0 it is so, and, as I understand,
> LCG-2.3.0 installs the same version: 8.11.6-27.73. I myself tested it on
> 2.2.0 -- it perfectly gives local root. So chances are quite big, that for
> 2.3.0 it is so. I don't know about 2.3.1, but I'll investigate it today.
> Just my 2 cents.
There are many other possible attack vectors against stock LCG 2_3_x
installation. For example the kernel at Protvino site can be owned using
the old sys_uslib() technique, etc.
--
Jiri Kosina
Institute of Physics, Academy of sciences of the Czech Republic
|