LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   compromise linux system using non-root account? (http://www.linuxquestions.org/questions/linux-security-4/compromise-linux-system-using-non-root-account-437481/)

cynick 04-21-2006 12:32 PM

compromise linux system using non-root account?
 
What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software?

the system is patched (per Suse 10 automatic suggestions), it is Suse 10 with KDE.

and what is more important, how do I make sure it has not been compromised?
What if I continue to run the suspicious program (it's java (jar) application)?

I'm behind a router.

Thanks,
nick

burntfuse 04-21-2006 12:56 PM

I'm definitely not an expert on this, but I think there's not a whole lot malicious software can do from a non-root account (as long as the suid bit isn't set) except trash your home directory. Someone please correct me if I'm wrong, but I think it's even harder to make java do anything virus-like, so you shouldn't have much to worry about.

int0x80 04-21-2006 01:21 PM

if there is a specific application that you are unsure of, scan it with some sort of anti-virus application. personally i use clamav:
Code:

clamscan --log=jarscan.log *jar

Krugger 04-21-2006 04:37 PM

It is quite hard to write a program that can compromise a computer that is keeped up to date. Having said that, if that unsafe program provides a way for a actual user to get inside, like for example giving him a remote prompt he could be on you machine and try to hack it with the privileges of your user. For example, put an alias for su that will log for him the password and then call the actual su so you don't notice. (although that can also be done by a program)

Java can be decompiled with JAD. :)

cynick 04-21-2006 05:10 PM

well, since it is java, and it runs as an application, it can just as well execute arbitrary code (for example, create a shell script and put it in .bashrc or something) ---- the "su" alias is smart, i'll check for that.

just to give you an idea.. I've downloaded a crack for jbuilder 2006.. not that I really need the extra features than the free foundation, but wanted to try it out longer... guilty, i know.

jiml8 04-23-2006 11:12 AM

Quote:

What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software?
If your system is properly configured, then malicious software can at worst wreck your home directory. Of course, first it has to trick you into running it.

unSpawn 04-24-2006 04:32 AM

What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software? / the system is patched / I'm behind a router.
Next to the already mentioned munging of whatever is in your home directory there are a few things I can think of. Since you're behind a router I'll assert you know how to and do block initial inbound traffic from outside the private network (but how about egress filtering?), and since you patch everything to current the only thing that can hit you on that front seems to be reconnaissance, misconfiguration and o-day exploits. So let's focus on the fact that local (or private network) account users are most likely to be considered "trusted" by local applications or running services in the network. What can we do?:

- Information gathering
Maybe you've got another Firefox/KDE/whatever else o-day you need to retrieve specific version info for? Look at dmesg?[0] See what processes are running or user accounts are used on the box recently?[0] What's the last time root logged in?[0] Look on the private network for servers that are only protected by the router?[1] Or maybe just be interested in local logs, mail or docs for Social Engineering (or why not: extortion)?[2]

- Account bruteforcing
So you set up a drop-app for SSH. But what about local accounts?[3] What's the last time root checked it or got it reported automagically?[4] Are there any users or commands we can sudo to with NOPASSWD?[5]

- Downloading & executing something else
Skype executes traceroute on application start. Does that have any paths prepended or could we manage to execute a fake ./traceroute from the CWD?[6] Or maybe I'm allowed outbound access to open relays or be able to look for proxies on port TCP/80?[1] Or can I wget you Something Completely Different? (apart from Larches).[0], [1]

- Resource starvation
Maybe I'll just fill up your / or /var/log before attempting to do Something Completely Different.[7], [8]

* Some actions are no cause for alarm when reviewed alone but are only interesting when you piece the chain of events together. If any of you think the above is FUD or dismiss it as being hypothetical then you're not looking at what you should be looking at and that's any form of missing access restriction.

and what is more important, how do I make sure it has not been compromised?
Verify against the checksums provided with the package. If none are, bug the developers/maintainers to provide a GPG-signed package or at least MD5 and SHA1 sums. Run under Mandatory Access Controls (MAC)[8]. Run in a sandbox (like Qemu) under strace or something else that does monitor system calls. Use a file integrity checker to monitor changes.


What if I continue to run the suspicious program (it's java (jar) application)?
Noticing how you classify it as "suspect" yourself, then continuing to run it would not be advisable without looking for a qualitatively good replacement or MAC and proper verification.


HTH

--
[0] GRSecurity.
[1] (N)IDS, Host firewall, DMZ.
[2] GPG, FUSE's EncFS, SELinux MAC/GRSecurity RBAC.
[3] PAM Tally.
[4] Logwatch, Swatch.
[5] Be creative?
[6] Tiger, strace.
[7] Monit, for instance.
[8] SELinux MAC/GRSecurity RBAC.


All times are GMT -5. The time now is 03:44 AM.