Wednesday, January 19, 2005

There's no such thing as a local exploit

Some people feel safe knowing that they have zero or only one remote exploit, even though they have 400 local ones, because they're the only local user on their local desktop box. This is a falsehood. Local exploits are just as dangerous if not moreso than remote exploits.

A remote exploit doesn't always mean root access. If an attacker exploits Firefox or XMMS, he can get local user access. This could be just a normal user account, but it's a way in. The more common social engineering tactics don't even need a remote exploit if the worm does something pretty, like display fireworks or pretend to be a screensaver.

This means that access to a local account, whether by remote exploit or by social engineering and worms, is fairly likely. Complex attacks aren't needed, nor are large amounts of stealth. Payloads don't need to go on the same day. All that's needed is one simple remote exploit into a user's account. Just slip a bit of a program in, make changes to the user's account, dump a worm in ~/.mozilla/firefox/plugins.p9, then crash Firefox gracefully, and nobody will suspect anything.

With the above attack on Firefox, the user predictably sees a bug in the browser, and ignores it. The worm can now run when the user logs in and check a site for encrypted plug-ins to let it attempt to exploit local privilege elevation exploits. This allows the worm to spread to other accounts or, ideally, to root. Since the plug-ins are encrypted, an IDS won't notice the malicious code. Base64 encode the encrypted data and it looks just like text.

Even if the worm doesn't get root with a local exploit, it can spread around user accounts and gain a better operating position. Worm children can use AF_UNIX sockets or shared memory keys to communicate and operate distributed across user accounts to look less suspicious. They could even operate with a Firefox extension to do the networking tasks from the Firefox process.

Soon enough the worm can get a plug-in to gain local root using a local exploit. Now that it has root, it can make sure that it installs a setuid binary similar to sudo to allow root access when the vulnerability is fixed. This will allow the worm to continue to get root from any account, and possibly to connect to the attacker and give him a root shell.

This is how local exploit can be turned into a remote exploit. It only requires an existing remote exploit. This does not have to be a software vulnerability; simply riding with a trojan horse through e-mail or Web downloads is a common way for worms to spread using social engineering, which can be thought of as an exploit in the user himself.

Many worms today have demonstrated not only social engineering tactics, but combined remote exploit tactics. Worms which use multiple exploits or combined tactics, such as worms deployed through an MP3 or PNG image that infect other MP3s or JPEGs sparsely, and swap themselves via e-mail or simply by riding with the media in a file-swapping program, are becoming more prevalent. Because this won't normally gain root access, local exploits become very valuable to an attacker, even on a single user system.

2 Comments:

Blogger wow power leveling said...

Why was there no follow on bankruptcy then? The bailout of AIG FP went to (wow power leveling) hedge funds that bound credit swaps on Lehman failing or others betting on rating (wow power leveling) declines. AIG has drained over 100 billion from the government. Which had to go to those who bet on failures and downgrades. Many of whom (power leveling)were hedge funds. I-banks that had offsetting swaps needed the money from the AIG bailout or they would have been caught. Its an (wow powerleveling) insiders game and it takes just a little bit too much time for most people to think (wow gold) through where the AIG 100 billion bailout money went to, hedge funds and players, many of whom hire from the top ranks of DOJ, Fed, Treasury, CAOBO
wow goldwow goldwow goldwow gold CAOBO

9:54 PM  
Blogger office said...

The Tax Return Crack-Up<4>
Realizing he might have dug himself in there,Microsoft Office 2010the general emphasized that Office 2010he had spent some time as a junior Office 2007officer working "very closely Microsoft Officewith the Israeli air force" and that heMicrosoft Office 2007had found that "more cosmopolitan,Office 2007 key liberal version of the Israeli population" Office 2007 downloadto be just chock full Office 2007 Professionalof that sort of "goodwill" necessary Windows 7to give a bunch of land back Microsoft outlook 2010to the Palestinians.

4:13 AM  

Post a Comment

<< Home