Jump to content

Stebalien

Members
  • Posts

    5
  • Joined

  • Last visited

Everything posted by Stebalien

  1. As a side note, a similar attack can be done with gksu/gksudo. It would be trivial to write a program that waits for gksudo to be run and then closed, and then run `gksudo -p -m "Sorry, incorrect password. Please try again:" > /tmp/func.txt`. The user would then enter his or her password again and the attacker would now have the administrative password. Several steps could be taken to prevent such an attack: 1) Gksudo should ONLY be used for system passwords. There should be no '-p' option. 2) Gksudo should ALWAYS include the command being executed in the password dialog (even if in a small font). 3) X should have some countermeasure against spoofed authentication windows.
  2. This attack could also be preformed by exporting a malicious path. Bash currently only supports a user environment (i.e. env/export). To prevent attacks such as this, bash should have a system environment. Only root, a user running sudo, or a file writable by root alone would be able to export variables to this environment. /etc/profile would export a sPATH (secure path) variable to the system environment with paths to folders and executables that would trump all others. This would both prevent your function based attack and a PATH based attack.
×
×
  • Create New...