7:09 a.m.
I used one of the dirtycow root exploits on Fedora24 configured
with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
8:09 a.m.
On Oct 25, 2016 05:12, "teroz" <terence.namusonge(a)gmail.com> wrote:
I would imagine that if it's hijacking an already root or
setuid binary,
you won't see anything. As far as that record goes, I have no idea, I'll
let an auditing expert answer that question.
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
I used one of the dirtycow root exploits on Fedora24 configured
with
30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
8:42 a.m.
Hey William
exploit is run as a normal user and privilege escalates to a root shell
On Tue, 25 Oct 2016 at 15:09 William Roberts <bill.c.roberts(a)gmail.com>
wrote:
On Oct 25, 2016 05:12, "teroz"
<terence.namusonge(a)gmail.com> wrote:
>
> I used one of the dirtycow root exploits on Fedora24 configured
with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
>
I would imagine that if it's hijacking an already root or setuid binary,
you won't see anything. As far as that record goes, I have no idea, I'll
let an auditing expert answer that question.
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
8:48 a.m.
On Oct 25, 2016 06:42, "teroz" <terence.namusonge(a)gmail.com> wrote:
Hey William
exploit is run as a normal user and privilege escalates to a root shell
Look under the covers. Dirty cow allows arbitrary file modification, so
somewhere it's likely executing some setuid root thing that it modifies.
Take a peak with strace.
https://www.google.com/amp/www.theregister.co.uk/AMP/2016/10/21/linux_pri...
On Tue, 25 Oct 2016 at 15:09 William Roberts
<bill.c.roberts(a)gmail.com>
wrote:
>
> On Oct 25, 2016 05:12, "teroz" <terence.namusonge(a)gmail.com> wrote:
> >
> > I used one of the dirtycow root exploits on Fedora24 configured
with
30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
> >
>
> I would imagine that if it's hijacking an already root or setuid binary,
you won't see anything. As far as that record goes, I have no idea, I'll
let an auditing expert answer that question.
> >
> >
> >
>
>
> >
> > --
> > Linux-audit mailing list
> > Linux-audit(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
8:59 a.m.
On Oct 25, 2016 06:48, "William Roberts" <bill.c.roberts(a)gmail.com>
wrote:
https://www.google.com/amp/www.theregister.co.uk/AMP/2016/10/21/linux_pri...
On Oct 25, 2016 06:42, "teroz" <terence.namusonge(a)gmail.com> wrote:
>
> Hey William
> exploit is run as a normal user and privilege escalates to a root shell
>
Look under the covers. Dirty cow allows arbitrary file modification, so
somewhere
it's likely executing some setuid root thing that it modifies.
Take a peak with strace.
Sorry too early in the morning for me, this doesn't require setuid
modification, just a file owned by root looking at the source:
https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c
> On Tue, 25 Oct 2016 at 15:09 William Roberts <bill.c.roberts(a)gmail.com>
wrote:
>>
>> On Oct 25, 2016 05:12, "teroz" <terence.namusonge(a)gmail.com>
wrote:
>> >
>> > I used one of the dirtycow root exploits on Fedora24 configured
with
30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
>> >
>>
>> I would imagine that if it's hijacking an already root or setuid
binary, you won't see anything. As far as that record goes, I have no idea,
I'll let an auditing expert answer that question.
>> >
>> >
>> >
>>
>>
>> >
>> > --
>> > Linux-audit mailing list
>> > Linux-audit(a)redhat.com
>> > https://www.redhat.com/mailman/listinfo/linux-audit
9:05 a.m.
On Oct 25, 2016 06:59, "William Roberts" <bill.c.roberts(a)gmail.com>
wrote:
On Oct 25, 2016 06:48, "William Roberts" <bill.c.roberts(a)gmail.com>
wrote:
>
> On Oct 25, 2016 06:42, "teroz" <terence.namusonge(a)gmail.com> wrote:
> >
> > Hey William
> > exploit is run as a normal user and privilege escalates to a root
shell
> >
>
> Look under the covers. Dirty cow allows arbitrary file modification, so
somewhere it's likely executing some setuid root thing that it modifies.
Take a peak with strace.
Sorry too early in the morning for me, this doesn't require setuid
modification, just a file owned by root looking at the source:
No, I was right before, the comments t in the header of that is just a
sample run showing write to something that's readonly. You would want to
write to a readonly setuid or something else on the system to get an actual
root UID code execution, like a library loaded into a root process.
I'll shut up now, and go get coffee to be productive.
>
>
https://www.google.com/amp/www.theregister.co.uk/AMP/2016/10/21/linux_pri...
>
> > On Tue, 25 Oct 2016 at 15:09 William Roberts <bill.c.roberts(a)gmail.com>
wrote:
> >>
> >> On Oct 25, 2016 05:12, "teroz"
<terence.namusonge(a)gmail.com> wrote:
> >> >
> >> > I used one of the dirtycow root exploits on Fedora24 configured
with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
> >> >
> >>
> >> I would imagine that if it's hijacking an already root or setuid
binary, you won't see anything. As far as that record goes, I have no idea,
I'll let an auditing expert answer that question.
> >> >
> >> >
> >> >
> >>
> >>
> >> >
> >> > --
> >> > Linux-audit mailing list
> >> > Linux-audit(a)redhat.com
> >> > https://www.redhat.com/mailman/listinfo/linux-audit
2979
days inactive
2979
days old
linux-audit@lists.linux-audit.osci.io
5 comments
2 participants
participants (2)
-
teroz -
William Roberts