On Tue, Apr 29, 2014 at 11:09 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > > Am 29.04.2014 23:00, schrieb Chris Adams: >> Once upon a time, Reindl Harald <h.reindl@xxxxxxxxxxxxx> said: >>> google as example for CVE-2014-0038 and as i already explained >>> you: a attacker has no shell, you have two ways to force a existing >>> local exploit by a web-application: >>> >>> A: try to get a complete script on the machine and execute it >>> B: find a very likely present binary and bring it to do the >>> rest of the attack for you with arbitary input >> >> If I can run arbitrary code as your web user, I can do whatever >> your web user can do > > limited (why limited goes way too off-topic) > >> If your kernel has a security hole, I can exploit that > > surely, the point is how easy i can do that, do the instructions > somewhere how to do that work or not because they contain a > command / binary not available on the target system > >> If I can run PHP code, there's a million things that I can do. If I can >> run shell code, I can do just about as much. How does the existence of >> a non-privileged systemd binary affect that? > > given index.php?dumb_param=exploit_code > > dumb_param gives exploit_code to shell_exec() or like function > you can't do whatever you like here simply be escaping > > so you are very limited with your command No you are not "very limited" at all ... in case an attacker can inject code like this he pretty much will be able to do whatever that user can do. Unless the script has less privileges then the user (like running in a confined selinux domain). Attackers generally (and traditionally) try to get a shell (in whatever from) up and running hence why people call code that you inject using stack smashing, heap overflows etc. "shellcode" (it does not have to open a shell but that's the most common case, the second one would be drive by download). In your case the attacker would try to get a reverse shell (which is easily doable by tons of ways just google for it). So a statement like "you are very limited with your command" here is very naive. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct