信息来源: 邪恶八进制信息安全团队
Exploits... 0days... local root... remote compromise... privilege escalation...
We all hear these terms, but what is the reality and impact of these words, and what can we predict from the near future? Possibilities are rearing their nasty little worm heads, ready to jump up and strike, attacking both the common [ Windows ] systems and not so common ones [ Linux ].
On the linux side we see the recent PRCTL vulnerability and the race condition 0day kernel exploits. As I eluded to in a past article , combining a local root exploit, considered a simple low impact vulnerability [ as classified by some vendors ] with a web application vulnerability, they now becomes a remote root kernel compromise, a form of privilege escalation. If the thought of php, perl and scripting based worms scares you [ remember SANTY.A ], think of it now as a super worm capable of breaking into whole hosting computers, hosting possibly 1000's of sites, instead of being confined to a single vhost on a server.
On the Microsoft side we see several of the newest vulnerabilities and related exploits [ including patched 0days ] that are ripe for becoming the next MsBlaster. While not currently [ to our knowledge ] being mass exploited but [ in our opinion ] very much viable are recent vulnerabilities.
While having patches available, the sheer volume of deployed Windows systems makes any recent vulnerability rip for the picking as many people do not patch, cannot patch, or wait to patch their systems. Exploits that leverage the Routing and Remote Access and DHCP Client Service vulnerabilities are choice candidates as these services are enabled by default and provide SYSTEM level access [ like root on linux ] to the system once exploited.
What can you do about it? You could patch your systems! But as we all know, not everyone does or can.
One channel of thought often raised is that of releasing self patching worms before the bad guys can strike. Yes folks, pre-emptive strikes. A worm that's sole purpose is to find unpatched boxes and automatically patch them! The problem with this approach is twofold, one of ethics and one of the law [ depending on where you live ]. By designing a "patch worm" you are in fact really writing a worm, really releasing a worm and really exploiting systems, which are all highly illegal in some countries. And while you might be doing a "good thing" you are really doing a "bad thing", and we can't have that now... can we?
Well the bad guys have beat you to the punch on this one. Two of the last big windows worms [ bots actually ] used exploits for Plug-and-Play and Dameware and then utilized a patching component to ensure that the wormed box could not be taken over by another worm using the same exploit. It actually patched the system from being further exploited by the same hole. In this case there were worm / bots wars that targeted competing, previous infestations. Clever.
While not all vulnerabilities can be guarded against, you can make a difference for those that can and prepare yourself for the next big storm, patch your systems or fear the nasty little worms!
