Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: remote root Share/Save - My123World.Com!

  1. #21
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2

    Principle of least privilege

    Well, The thread is turning out to be quite a good discussion and here are my 2 cents.

    From the wikipedia Principle of least privilege - Wikipedia, the free encyclopedia

    The principle of least privilege forces code to run with the lowest privilege/permission level possible so that, in the event this occurs—or even if execution picks up from an unexpected location—what resumes execution does not have the ability to do bad things. One method used to accomplish this can be implemented in the microprocessor hardware. In the Intel x86 architecture, the manufacturer designed four (ring 0 through ring 3) running "modes".
    As implemented in some operating systems, processes execute with a potential privilege set and an active privilege set. Such privilege sets are inherited from the parent as determined by the semantics of fork().
    This means, that a good software following good security model for its architecture will only designate that many permissions to its sub-processes, which are essentially needed by the sub-process.

    Suppose a sub-process needs to read the filesystem. The OS (in this case the software) will only allow to it to read filesystem. Boom thats all.No more playtime. Also if you want to do something outside your access level, contact the OS and it will do it for you by granting the api call you made. That is why you must have seen the UAC setting prompting you in Windows to authorize some program which has suddenly decided to exceed its access level (with which it was installed) .

    This security model is followed by most of the softwares https://www.google.co.in/#q=security...ent+privileges and even good system administrators. Good administrators maintain a hierarchy of sorts to give processes only as much as it needs, and not much more.

    So if you hack a apache service, you can get root permissions depending whether it was running as root or not. If the apache was running as some other user, you will get only that user's permission.

    You may also remember the example of using metasploit, where when we exploit the service, we only get the access level with which the service was running. (thanks to b0nd for pointing this out) The only way to escalate the privileges was to steal access tokens of some other process which ran at a higher privilege. Or use a local privilege escalation exploit where we find a vulnerability in a process running with high privilege. Because then our code executed will also run with that escalated privilege (Check SecurityTube metasploit videos if you find me vague)

    -------------------------------------------------------------------------------------

    Finally your idea. If you deploy a vulnerable software. Suppose it is being deployed with permission x. The installer itself has permission x. You wanted it to get permission x+1. Now if you exploit software, your code will only have the permission to run with permission x.
    Now if it had permission x+1 to deploy code. Then your vulnerable software would also be executed as x+1. And you get x+1 on exploiting it. But the question is, why would you want x+1 if you already have x+1 ?? [refer to the image hackuin posted]

    But you can be lucky and get a poor software or a bad architecture. Where basic work is also done with the facility of high privileges. Like apache running as root.

    --------------------------------------------------------------------------------------

    Only way is vulnerabilities. Not vulnerabilities in the software you deploy. But vulnerabilities in higher services which do the work on your behalf internally and deploy your things.

    The symlinking you have mentioned is the vulnerability in some versions of PHP. Not websites (deployed softwares).
    Symlink bypass Vulnerability | Exploit-ID - Exploit Information Disclosure
    PHP 'symlink()' 'open_basedir' Restriction Bypass Vulnerability

    P.S. Good hosting companies patch this up and you won't be able to use symlinking there
    Last edited by abhaythehero; 01-31-2013 at 09:16 PM.
    In the world of 0s and 1s, are you a zero or The One !

  2. #22
    thanks for the brief info about permission , as i said i'm not a professional so i didn't knew all this things ...

    and as a conclusion what i understood is that if we want a common remote / local root exploit for kernel versions then we must find vul in os or higher services like php or ftp or something .

    right ?
    please correct me if i'm wrong

  3. #23
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Quote Originally Posted by prince_indishell View Post
    thanks for the brief info about permission , as i said i'm not a professional so i didn't knew all this things ...
    No one can know all the things. Keep learning.



    and as a conclusion what i understood is that if we want a common remote / local root exploit for kernel versions then we must find vul in os or higher services like php or ftp or something .

    right ?
    please correct me if i'm wrong
    exactly !
    In the world of 0s and 1s, are you a zero or The One !

  4. #24
    then how to fuse os components ?

    cause i fave some strings , which crashes notepad , i have checked notepad separately then it do not crash , then y it crashed ? maybe it's not notepad which is crashing , may be it's the component which calls the txt file which has that strings , but how to fuze that and more important how to test that os component ?

  5. #25
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Quote Originally Posted by prince_indishell View Post
    then how to fuse os components ?

    cause i fave some strings , which crashes notepad , i have checked notepad separately then it do not crash , then y it crashed ? maybe it's not notepad which is crashing , may be it's the component which calls the txt file which has that strings , but how to fuze that and more important how to test that os component ?
    you can identify which component is crashing by attaching notepad to some debugger and then loading string which is causing this crash. also can you put it more clearly what you want to say when you write "i have checked notepad separately then it do not crash " i did not get this point. how you checked notepad separately.

  6. #26
    i did same. i opened notepad in ollydbg and then opened that text file, then notepad did't crash. then i agained opened txt file by double clicking it and notepad crashed.

  7. #27
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    can you try to reproduce this crash on fresh OS? attach windbg to notepad and open the txt file once it get crashed type kb command in windbg this will let you know which modules executed on your machine when you opened that file so that you can investigate for those executed module and pin point exact cause of crash.

  8. #28
    thanks for help , but i just installed windows 8 and forgot to backup that text file . so now , no file to test . but thanks for giving clue how to test

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •