[clue-admin] Please review Member Accounts Plan on the wiki

Thu Jan 6 09:17:30 MST 2005

On Wed, 2005-01-05 at 22:50 -0700, Collins Richey wrote:

> But, after reading about the authorized_keys file, it would seem that
> users with write access to this file could insert keys with almost any
> command and thus subvert the security setup? Would you comment on
> this, please. Could this be used to get a "real" shell on the account?
> 
> Thanks for the comments.

Let me chime in here. This is how I would attempt it, never tried it
might work or not.
First if you just start bash, I guess that wouldn't work. Since there is
no direct way to talk to bash. But you can run any command your allowed
to run on the system  according to the permission, or selinux or kernel
security module or chroot or what ever "evil" admin  you through in my
way.
Now let's take a look how we could do it.
First we write a little program which installs a root kit after it's
executed, now we load this program up to your server.  It won't run
since the permission will not allow it to run. So we need to change the
permission and then run it.  Therefore our ssh authorized_key command
must first run chmod and then run our little evil program something like
(chmod u+x /home/badperson/evil && /home/badperson/evil ) viola that
should do.

This scheme will not work with a chroot sshd, since there will be no
chmod or anything to make it work. I guess I could also write a security
module or setup selinux to prevent that from happen. But chroot works
and I'm lazy.

Now let's take look, how you get key in the first place.  You send and
email and expect a reply with the key in it.  Now I'm a system admin at
the evil empire, I don't make this up.  My 4 year old son has an
imaginary brother called Darth Vader.  Anyhow I read poor user X mail.
I see the mail in it's queue and notice he hasn't read it. So I send you
my key in his name and take over your server while  user X waits for
your mail.   
Or if you copy the keys for the user as maintenance.  I will mount an
attack on your system, not to break in but to create stress.  Now when I
expect you to really struggle and be under stress to figure out what's
going on. I send you a forged email with another key and ask you to copy
it in.  All the while keeping and intensifying the attack, and another
reminder about the key change ... Sooner or later you will copy the key
to get me of your back, so you can concentrate on the attack.   And
bingo you just let me in through the front door, why break in when you
can "ask" the sys admin to let you in. 
In other words your sys admin procedures have to be stress save, hope
you have thought about that.
Just some ideas while working on my coffee, in other words I might talk
in my sleep and  this all can't be done.

Good morning from Evergreen,
Ronald