Re: [PLUG] The 'Penquin' Turla

Rich Freeman on 9 Dec 2014 17:40:18 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The 'Penquin' Turla

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] The 'Penquin' Turla
Date: Tue, 9 Dec 2014 20:40:06 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=Gen6M26f8FfUgkr6rhv4LqzuX+P/MvRY+f61zgE59Sc=; b=fAe6GEp+AKvOOwVnz25y4vqXC9+J/GxaEa7ff1S6ojTrMimSW2gIIYHvec2iME0ee9 FhnD+lmG+2X/DuWri7ESPmVv+smt4+wsun/kRzX2xTTmhQUjd165+NV/G2OzUvAMbjSY gPKki47LXrHbKE28Z5VRez2/CBjsacwRxjDbXPsIhYER1JygNFCs3/mJkvzPFUuTHMR5 a6koxqnXtY/b2DMLVTTOD49dzyLqiOVr7E5ezBk8eUyx8g8e81jE2+WX7oqLMfXiBVCf 1pzXEtd9WSI0WRkek2xDcVnm6Yo3kowe0HxVkwe9w7QreEJ9givJ5dP/73rBizwiE+Ay tkaw==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Tue, Dec 9, 2014 at 12:40 PM, Keith C. Perry
<kperry@daotechnologies.com> wrote:
> I find it hard to believe that perl or any other available "magic" gets
> around a properly configured system that uses Linux capabilities with nosuid
> mounted filesystems.  That would break selinux enhancements, cpusets and
> generally the concept of Linux containers from the security point of view.
> If you have a link to some perl scripts that do this, I'd like to test this
> in my lab to confirm for myself.  You never know but I don't see a practical
> attack vector for this on modern Linux box either.

Without a zeroday you don't need nosuid/selinux/etc to block this.
Just regular kernel security will block non-privileged processes from
listening on low ports, sniffing traffic, and so on.

Now, you can listen and run arbitrary commands as a non-privileged
user all you want to.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- Re: [PLUG] The 'Penquin' Turla
  - From: "Keith C. Perry" <kperry@daotechnologies.com>
- Re: [PLUG] The 'Penquin' Turla
  - From: brent timothy saner <brent.saner@gmail.com>
- Re: [PLUG] The 'Penquin' Turla
  - From: "Keith C. Perry" <kperry@daotechnologies.com>

Prev by Date: [PLUG] [plug-announce] PLUG FRIENDS-MAS PARTY! Saturday December 20th 11:30-3
Next by Date: [PLUG] safecopy
Previous by thread: Re: [PLUG] The 'Penquin' Turla
Next by thread: [PLUG] [plug-announce] PLUG FRIENDS-MAS PARTY! Saturday December 20th 11:30-3
Index(es):
- Date
- Thread