[Mauiusers] Maui LD_PRELOAD attack

Miguel Ros miguel.ros at bsc.es
Fri Apr 11 06:35:56 MDT 2008


Hi Paul,

> Miguel, I've not studied your patch in detail, but if I understand the basic 
> idea, your patch fixes this by protecting the shared secret with the system's 
> file permissions: the secret then exists as a file rather than being embedded 
> within the executables.  This, in effect, allows the sysadmin to vet code by 
> switching on the suid bit: code that doesn't obtain the needed escalated 
> privileges simply cannot read the share secret.
>
> If I may make a friendly amendment: you should make the binary sgid rather 
> than suid, specify a group (mauiclients) and have the shared secret read-only 
> (chmod 2440) and owned by (for example) root:mauiclients.  This would prevent 
> a privilege escalation exploit for mauth from allowing someone to altering or 
> deleting the shared secret.
>   
Thank you for your suggestions, I will study them :)
> I'm not sure what mcsaDES does (DES-based hashing algorithm?), but (afaik) DES 
> isn't considered secure anymore.  I'm guessing this could lead to known 
> plain-text attacks.
>   
Yes it is DES-based, but I think that can be changed easily.

Regards,
Miguel


More information about the mauiusers mailing list