Security Watch | Matt Hines » Owning computers via spelling mistakes

May 29, 2007 | Comments: (0)

Owning computers via spelling mistakes

TAGS: Security

Symantec researchers have detailed a painfully simple attack method that hackers may already be using to bypass security protections and break into UNIX and Linux-based computers.

In a blog authored by Symantec Security Response Researcher Ron Bowes on May 29, the expert highlighted a threat he characterized as "an artifact of the entire concept of user-separation" that may actually allow hackers to carry out their work on such machines.

The technique mirrors similar problems that Bowes recently highlighted in another posting that examined issues in the user account control (UAC) anti-user privilege escalation technology offered in Microsoft's Vista OS.

According to Bowes, using "sudo" (short for "super user do") -- a command used on Unix-based operating systems to allow a user to run programs with the highest possible privilege -- combined with misspelled variation on other commands, can allow attackers to execute their code more effectively.

Bowes proposes that:

"The main protection offered by sudo is the assurance that the current directory is the last place searched for commands. So if a malicious program named "mount" is placed in the user's home directory, the command "sudo mount" will still run the real mount command (/sbin/mount, likely).

The simplest way to get around sudo's protection is to take advantage of a common mistake: spelling errors. Even though "sudo mount" will never check the current directory, "sudo moutn" will.

A piece of malware can name itself "moutn" and hide in the user's home directory, hoping to take advantage of a spelling mistake before being discovered."

The researcher said that the number of possible names that could be exploited in such a manner is seemingly "endless," but he cited "ifcofnig," "tcpdmup," and, for Windows users, "ipconfig" or "tracert," as other common variations on the theme.

Bowes said:

"If a user runs a malicious program with a regular account, the program cannot install in a system-wide directory. On a typical UNIX-based operating system, user-level programs can write to the user's home folder, the temporary files directory, and a couple other safe places. A malicious program run this way cannot affect other users or the system as a whole.

However, if sudo is used to run this malicious program, the program can make system-wide changes because it has root access. If a user can be tricked into running a malicious program, the system can easily become fully compromised.

All that the malicious program has to do is copy itself to a directory so that when a user runs a system program, the malicious program runs instead. Although sudo takes steps to prevent this type of behavior, unfortunately, it's not enough, and can never be enough, because after a user runs a malicious program, anything they do is compromised, including attempts to switch users and enter passwords."

The researcher also highlighted another "fairly easy" method for circumventing sudo's protection -- by changing a user's path to include a directory.

"So the question becomes, will the makers of sudo fix this?" Bowes writes. "No. Why not? They can't, for the same reason that UAC won't be fixed: as soon as untrusted code is run on a user account, nothing on that user account can be trusted anymore, be it variables, files, or programs."

Sounds like it's time to start minding those Ps and Qs a bit more closely.

Posted by Matt Hines on May 29, 2007 01:46 PM

RATE THIS ARTICLE: