Uptime vs. Kernel updates (was Re: [TriLUG] Prosperous New Year)

Mike Johnson mike at enoch.org
Wed Jan 4 12:31:46 EST 2006 

Jon Carnes wrote:
> I don't like to apply kernel updates unless it's for a vulnerability
> that makes the machine accessible to an outsider. Over the past couple
> of years I haven't seen one that allows an outsider to hack into my box
> - though there have been a few that allow a local user to gain root.
> Fortunately, I'm the only user on my Linux servers - and I *already*
> have root access... so no biggie.
> 
> It's not the greatest systems philosophy - and not one I would apply if
> I were working for someone besides myself. But it works for me. If I'm
> wrong, I'm sure my Trilug buds will give me the slap down that I
> deserve!

Well, I can't pass up that challenge, now can I? ;)

The majority of kernel vulnerabilities allow for user privilege 
escalation.  This means, as stated, one has to already be a user to be 
able to exploit the vulnerability.  However, this turns could allow an 
attacker to gain privileges that would have been otherwise limited.  For 
instance, exploiting a vulnerability in most network daemons (opensshd, 
sendmail, postfix, apache, etc) would grant, at most, the rights of that 
user.  So, say there's an unpatched vulnerability in apache.  Were an 
attacker to exploit the vulnerability and gain the ability to execute 
arbitrary code, they can only execute said code as the user of the 
webserver (nobody, httpd, www-user, etc).  Now, if that code were a 
kernel exploit, they now have root privileges.

The steps would look like this:
1) Exploit vulnerability in apache
2) Exploit code downloads additional program and invokes it
3) New program exploits kernel vulnerability and is now running as root
4) New program binds a bash shell to port 22222
5) Attacker points netcat at port 22222 and is greeted with a # prompt

As an aside, if you don't reboot your system until you absolutely have 
to, how do you know that when you -do- reboot it, there will be no 
problems?  Put another way, rebooting during a maintenance window 
ensures that when you have an emergency reboot, the system will return 
to a running state.

Mike

More information about the TriLUG mailing list