[kwlug-disc] Identify this exploit?

Mikalai Birukou mb at 3nsoft.com
Sat Dec 28 15:11:27 EST 2019


> So it is a generic attack and not a particular CVE they are trying to
> exploit?

It seem to me that it is related to some of those OWASP commandments: 
thou shall sanitize inputs.

Machines follow rules good. Do machines write code?

>   It is weird that they are choosing that particular number of
> traversals to get to /etc/passwd.
There is 12 of them. Typical hierarchy /var/www/x/y/z/ . So, any number 
over ten is good, and any /../.. equals / anyway. :)
> I agree with Mikalai that the Internet is terrifying.
Let's look at it more from a point, if you have to hand chemicals, you'd 
ask for protective cloths, gloves. In the similar fashion, we should be 
open to a more generic approach in handling this situations.
> I am not LXCing
> all the things, but maybe that is the way to go.

Jailing things reduces possible cross routes in the system. First bug is 
a scratch on the organism of your computer system. Do we allow spread of 
infection from a scratch or not?

The terrifying part might be not in internet, but in legislation, with 
which we, admins, become more responsible to capture, contain, protect.

>   I am still not
> certain how this protects me, though, since every LXC container is a
> nice Linux target that needs to be kept updated on its own.

Let's say I have a server with five LXC containers c1 and c2. I literally do

...$ for c in c1 c2 ; do echo "--- $c ---";  sudo lxc exec $c -- apt 
update ; done

Then change to apt upgrade.

And I find that it is easier to manage jailed apps cause they don't step 
on each other.





More information about the kwlug-disc mailing list