[Mauiusers] Maui LD_PRELOAD attack
Miguel Ros
miguel.ros at bsc.es
Fri Apr 11 06:35:56 MDT 2008
Hi Paul,
> Miguel, I've not studied your patch in detail, but if I understand the basic
> idea, your patch fixes this by protecting the shared secret with the system's
> file permissions: the secret then exists as a file rather than being embedded
> within the executables. This, in effect, allows the sysadmin to vet code by
> switching on the suid bit: code that doesn't obtain the needed escalated
> privileges simply cannot read the share secret.
>
> If I may make a friendly amendment: you should make the binary sgid rather
> than suid, specify a group (mauiclients) and have the shared secret read-only
> (chmod 2440) and owned by (for example) root:mauiclients. This would prevent
> a privilege escalation exploit for mauth from allowing someone to altering or
> deleting the shared secret.
>
Thank you for your suggestions, I will study them :)
> I'm not sure what mcsaDES does (DES-based hashing algorithm?), but (afaik) DES
> isn't considered secure anymore. I'm guessing this could lead to known
> plain-text attacks.
>
Yes it is DES-based, but I think that can be changed easily.
Regards,
Miguel
More information about the mauiusers
mailing list