Saturday, February 23, 2008

Writing into Another User’s Special Files

Depending on the version of UNIX you are using, the system will run a login script for you during the login process just before you are given control of a shell. If this script file is world writable, other users can insert commands that run automatically when you log in. This attack is another way to trick you into running commands without knowing your password. An attack such as this is detectable in the audit trail by looking for the following:

Internet 2010

AUID = user-X

File write or create event

Object of the operation is owned by another user (not user-X)

Why not look at the EUID of the process that emits the file operation event? If the hacker manages to exploit a SUID or SGID program to change the user's files, the EUID or EGID will be set to the owner of the SUE) or SGID program, not the hacker's UID. To really know the subject of the operation, you need to look at the AUID. This value is the only one that persists despite changes in the EUID or RUID.

Similar attacks can be detected by looking for other operations, such as a user reading from the directory of another user. However, watching for this type of activity may not be reasonable on your systems. If your users have a fairly open environment and constantly share data from their respective directories, you do not want to be bothered by alerts each time this happens. Looking for evidence of tampering in the special files should be enough in these cases. Should you require a tighter environment in which users should not be nosing around in directories belonging to others, you can look for events such as the following:

AUID = user-X

Is, fork, exec events

¨ Object (program executed or directory read) not owned by user-X

No comments:

Internet Blogosphere