[kwlug-disc] Identify this exploit?
Mikalai Birukou
mb at 3nsoft.com
Sat Dec 28 15:11:27 EST 2019
> So it is a generic attack and not a particular CVE they are trying to
> exploit?
It seem to me that it is related to some of those OWASP commandments:
thou shall sanitize inputs.
Machines follow rules good. Do machines write code?
> It is weird that they are choosing that particular number of
> traversals to get to /etc/passwd.
There is 12 of them. Typical hierarchy /var/www/x/y/z/ . So, any number
over ten is good, and any /../.. equals / anyway. :)
> I agree with Mikalai that the Internet is terrifying.
Let's look at it more from a point, if you have to hand chemicals, you'd
ask for protective cloths, gloves. In the similar fashion, we should be
open to a more generic approach in handling this situations.
> I am not LXCing
> all the things, but maybe that is the way to go.
Jailing things reduces possible cross routes in the system. First bug is
a scratch on the organism of your computer system. Do we allow spread of
infection from a scratch or not?
The terrifying part might be not in internet, but in legislation, with
which we, admins, become more responsible to capture, contain, protect.
> I am still not
> certain how this protects me, though, since every LXC container is a
> nice Linux target that needs to be kept updated on its own.
Let's say I have a server with five LXC containers c1 and c2. I literally do
...$ for c in c1 c2 ; do echo "--- $c ---"; sudo lxc exec $c -- apt
update ; done
Then change to apt upgrade.
And I find that it is easier to manage jailed apps cause they don't step
on each other.
More information about the kwlug-disc
mailing list