[linux-security] Re: Programming ...

[Antonomasia <ant notatla demon co uk>]

From: Wade Maxfield <maxfield ctelcom net>

>   Many thanks to the moderator who pointed out errors and suggested the
> correct information on this post.  Over half the ideas are due to him. ;)

>    1.  Programs put data in local variables in functions. These variables
>  are on the computer stack.  Feeding data to those variables (usually
>  string variables) causes the stack to be corrupt. Most often the
> perpetrator will put code into the string buffer and put the return
> address of the code in the string buffer into the correct location in the
> stack. When the program exits ...

When the function returns ...

>   In one case I saw, a perp deleted /etc/hosts.deny, ran adduser to create
> user rewt, then telnetted into the system.  /etc/hosts.deny is now "chattr
> -i".  What stopped the perp in that case was that /etc/skel/.bashrc had an
> exit at the end of the script.  He was immediately logged out and went
> away.  He was using the buffer overflow in named 4.9.6 to do it.

Was that "chattr +i" ?   What difference does it make against root ?
What if he copied /bin/sh over tcpd and a daemon instead ?
Imagine "telnet  stream  tcp     nowait  root    /bin/sh /bin/sh",
I may test this - it looks dangerous.


>   In the past, I have had a situation where a shell was running the
> program, and the executable did a GPF.  The shell was left standing
> with a prompt, as the root user.  In this case, the perp used the
> open communication link to run commands as root.

How was it called ?


>   A race condition can exist that can cause the daemon to copy or send a
> file to the wrong location.  A race condition is called that due to the
> winner being the first one to win the "race."  Basically, if your program
> checks permissions and then decides to do something with the information
> it gathered, then does it, it will be vunerable to a race.

A fairly crude way of checking for this is at
http://www.notatla.demon.co.uk/SOFTWARE/SCANNER/scanner-1.0b.tar.gz
Better to think about how you write the code though.

>   To handle this, you must put in a lot of thought. Generally, a file
> operation is a serial resource that is being used in a multitasking
> environment.  The traditional ways to deal with serial resources are 1)
> use gatekeepers to enforce serial access to a serial resource, and 2) lock
> the system down so that you own all of the cpu cycles until completion of
> your operation on a serial resource, or 3) don't use the serial resource
> at the multitasking level.

Dropping privs from root to user for handling user files is good too.


>   To not use serial resources at the multitasking level, push them into
> device drivers which run atomically. They are not interrupted (if they
> disable interrupts) and can finish dealing with one request at a time.

I wonder if this really helps with the original question.

>   You can also create a crc of your input file(s) while you can trust
> them. Move your input files(s). Verify the crc still is the same on the
> resulting output files.

CRC is actually weak against deliberate modification.  See the tripwire
program for several stronger functions for this purpose.

Look at ssh if concerned about IP spoofing.  You might find you
can avoid writing your program as a daemon if you use ssh to reach it.

>   4.  Denial of Service (DOS) attacks can be generated by sending the
> wrong kind of data or a large amount of data to a TCP/IP daemon,
> causing it to freeze on a port or zombie or become a runaway process
> chewing up all cpu cycles.  As the moderator pointed out, this stop
> servicing of legitimate users.


>  If you must remain standing at all times, limit the number of daemons and
> their duration.  Put automatic reject mechanisms on information coming
> from the same ip faster than a certain rate.  

Hashcash can be used to "charge" for connections so you can make the client
use more computing power than the server.  Anybody now trying to DoS your
box by that method .  It is used in my (usable but unfinished)

http://www.notatla.demon.co.uk/SOFTWARE/angel.0.5.tar.gz


--
##############################################################
# Antonomasia   ant notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################