Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 29, 2014 at 11:09 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>
>
> Am 29.04.2014 23:00, schrieb Chris Adams:
>> Once upon a time, Reindl Harald <h.reindl@xxxxxxxxxxxxx> said:
>>> google as example for CVE-2014-0038 and as i already explained
>>> you: a attacker has no shell, you have two ways to force a existing
>>> local exploit by a web-application:
>>>
>>> A: try to get a complete script on the machine and execute it
>>> B: find a very likely present binary and bring it to do the
>>>    rest of the attack for you with arbitary input
>>
>> If I can run arbitrary code as your web user, I can do whatever
>> your web user can do
>
> limited (why limited goes way too off-topic)
>
>> If your kernel has a security hole, I can exploit that
>
> surely, the point is how easy i can do that, do the instructions
> somewhere how to do that work or not because they contain a
> command / binary not available on the target system
>
>> If I can run PHP code, there's a million things that I can do.  If I can
>> run shell code, I can do just about as much.  How does the existence of
>> a non-privileged systemd binary affect that?
>
> given index.php?dumb_param=exploit_code
>
> dumb_param gives exploit_code to shell_exec() or like function
> you can't do whatever you like here simply be escaping
>
> so you are very limited with your command

No you are not "very limited" at all ... in case an attacker can
inject code like this
he pretty much will be able to do whatever that user can do. Unless
the script has less
privileges then the user (like running in a confined selinux domain).

Attackers generally (and traditionally) try to get a shell (in
whatever from) up and running hence why people
call code that you inject using stack smashing, heap overflows etc.
"shellcode" (it does not have to open a shell
but that's the most common case, the second one would be drive by download).

In your case the attacker would try to get a reverse shell (which is
easily doable by tons of ways just google for it).

So a statement like "you are very limited with your command" here is very naive.
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux