T 5.20 Misuse of administrator rights 


Мы поможем в написании ваших работ!



ЗНАЕТЕ ЛИ ВЫ?

T 5.20 Misuse of administrator rights



T 5.20 Misuse of administrator rights

An abuse of administrator rights occurs when superuser (root) privileges obtained with or without authorisation are deliberately used to harm the system or its users.

Examples:

 

•Since the root user on a Unix system is not subject to any restrictions, an administrator is able to read, change, or delete any file regardless of its access rights. Furthermore, he can assume the identity of any user on his system without being detected by another user, which means it is possible for him to send emails under a different name or to read and/or delete other users' emails.

 

•There are a number of ways in which superuser privileges can be abused. These include misuse of the su command and of incorrectly administered superuser files (files with root as the owner and with the s-bit set).

 

•A threat is also posed by the automatic mounting of exchangeable data media: Such media are mounted immediately after they are placed in the drive. Then everyone has access to the files stored there. Any user can then obtain superuser rights using the s-bit programs stored on the mounted drive.

 

•Depending on the Unix variant and the base hardware used, it may be possible to activate the monitor mode or to boot in single-user mode if there is access to the console. This allows the configuration to be manipulated.

 

•Due to software errors, an application may only be able to process a limited amount of data. If too much data or too many parameters are passed to this application, areas of main memory could be overwritten with foreign code. This means commands could be executed with the same rights as the application. This was possible, for example, under SunOS 5.5 with the eject command, which possessed SetUID rights, meaning it possessed superuser rights when executed.

 

13th version 2013 - 968 - Federal Office for Information SecurityIT-Grundschutz-Catalogues T 5 Threat catalogue Deliberate Acts

T 5.21 Trojan horses

A Trojan horse, often also referred to as a Trojan, is a program containing a hidden, undocumented function or effect. It is therefore impossible for the user to influence the execution of this function, and Trojan horses are therefore related to computer viruses to a certain extent. However, unlike viruses, Trojan horses do not have the ability to reproduce themselves. All types of application programs can be used as carriers for Trojan horses. However, script languages such as batch files, ANSI control sequences, REXX Execs and ISPF Command Tables in the z/OS operating system, and Postscript and similar script languages that are interpreted by the corresponding operating system or application program can also be misused for Trojan horses.

The more rights the carrier program of a Trojan horse possesses, the more serious the potential damage that can be caused by the Trojan horse.

Examples:

 

•A modified login program can contain a Trojan horse that transmits the name and password of the user over the network to the attacker, who then passes it on to the actual login program. Such Trojan horses are encountered on online services such as AOL or T-Online, for example.

 

•Screen savers, especially those downloaded from the Internet, can contain a hidden function that records the passwords entered by the users when they log in and then transmits the corresponding data back to the attacker.

 

•The Back Orifice program is a client/server application that allows a client to maintain a Windows PC remotely over the network. In particular, it is possible with this program to read and write data as well as to run programs. There is a risk that this program could be integrated into another application program and therefore be used as a Trojan horse. If the Trojan horse is started and a network connection is available, then an attacker could use the remote maintenance function of Back Orifice to gain access without the user noticing. The NetBUS program, which offers similar functionality, should also be mentioned in this regard.

 

•With the help of root kits, which are available for various Unix variants and which contain manipulated versions of system programs such as ps, who, netstat etc. it is possible to keep back doors open for a long time without being detected. The back doors allow an attacker to break into the system and cover up all traces of the attack. In many cases, the files /sbin/in.telnetd, /bin/login, /bin/ps, /bin/who, /bin/netstat, and the C libraries, among other files, are replaced using back doors.

 

•Another source of risk on Unix systems is the use of "." in the $PATH environment variable. If the PATH variable contains the current working directory (.) as a path, then programs located in the current working directory are executed first. In this manner, the superuser could unintentionally run a modified " ls " program with root rights that has been stored in the current working directory when listing the contents of a directory.

 

•One method of obtaining higher-level rights in the z/OS operating system can be exploited by an attacker when the attacker has Update access to the files used during the login procedure (e.g. REXX EXEC) or that are commonly used during processing (e.g. ISPF Command Tables). The attacker can then replace the existing code by code he has programmed himself.

 

13th version 2013 - 969 - Federal Office for Information SecurityIT-Grundschutz-Catalogues T 5 Threat catalogue Deliberate Acts

T 5.23 Malicious software

Malicious software is software designed specifically with the goal of executing unwanted and usually damaging functions. Common types of malicious software include, among others, viruses, worms, and Trojan horses. Malicious software is usually activated secretly without the knowledge and permission of the user.

Malicious software nowadays provides an attacker with extensive communication and control capabilities as well as a number of functions. Specifically, malicious software can be used to obtain passwords, remotely control systems, disable protective software, and spy on data, among other things.

The most serious damage that can be caused by such software is the loss or corruption of information or applications. However, the image loss and financial damage that can result from malicious software can also be significant.

Examples:

 

•In the past, the W32/Bugbear worm spread itself using two different methods. One method was to search in local networks for computers with shares for which write access was enabled and then copy itself to the share. In addition, it sent itself in an email in HTML format to the recipients in the email address book of the computers it infected. Due to an error in the HTML routine of certain email programs, the malicious software was executed when the message was opened without requiring any action by the recipient.

 

•The W32/Klez worm spread different versions of itself. Infected computers sent the virus to all recipients in the address book of these computers. Once this virus infected a computer, it prevented all further attempts to install the anti-virus software of typical manufacturers by continuously manipulating the operating system. The continuous manipulation of the operating system made disinfecting the infected computer significantly more difficult.

 

13th


 

Redundant VPN components

Depending on the availability requirements of the corresponding location, the failure of a VPN component could result in more or less serious problems. Corresponding redundancy must be available when high requirements are placed on the availability of the VPN. This redundancy can be implemented corresponding to the requirements using the following mechanisms, for example:

 

•clustering (using several networked components to increase availability),

 

•hot standby (provision of initialised backup equipment) or cold standby (provision of backup equipment that is shut down).

 

It should be examined whether a redundant design is necessary, especially for central VPN components such as the VPN server in the context of a remote access VPN, for example.

Information is generally transmitted in encrypted form in VPNs. For this reason, it is necessary to ensure that the corresponding replacement keys are available for encryption and/or new keys must be generated. This aspect must be taken into account in key management.

There are many possible sources of error in a VPN, and implementation of safeguard S 6.53 Redundant arrangement of network components can help to provide additional reliability.

T 5.20 Misuse of administrator rights

An abuse of administrator rights occurs when superuser (root) privileges obtained with or without authorisation are deliberately used to harm the system or its users.

Examples:

 

•Since the root user on a Unix system is not subject to any restrictions, an administrator is able to read, change, or delete any file regardless of its access rights. Furthermore, he can assume the identity of any user on his system without being detected by another user, which means it is possible for him to send emails under a different name or to read and/or delete other users' emails.

 

•There are a number of ways in which superuser privileges can be abused. These include misuse of the su command and of incorrectly administered superuser files (files with root as the owner and with the s-bit set).

 

•A threat is also posed by the automatic mounting of exchangeable data media: Such media are mounted immediately after they are placed in the drive. Then everyone has access to the files stored there. Any user can then obtain superuser rights using the s-bit programs stored on the mounted drive.

 

•Depending on the Unix variant and the base hardware used, it may be possible to activate the monitor mode or to boot in single-user mode if there is access to the console. This allows the configuration to be manipulated.

 

•Due to software errors, an application may only be able to process a limited amount of data. If too much data or too many parameters are passed to this application, areas of main memory could be overwritten with foreign code. This means commands could be executed with the same rights as the application. This was possible, for example, under SunOS 5.5 with the eject command, which possessed SetUID rights, meaning it possessed superuser rights when executed.

 

13th version 2013 - 968 - Federal Office for Information SecurityIT-Grundschutz-Catalogues T 5 Threat catalogue Deliberate Acts

T 5.21 Trojan horses

A Trojan horse, often also referred to as a Trojan, is a program containing a hidden, undocumented function or effect. It is therefore impossible for the user to influence the execution of this function, and Trojan horses are therefore related to computer viruses to a certain extent. However, unlike viruses, Trojan horses do not have the ability to reproduce themselves. All types of application programs can be used as carriers for Trojan horses. However, script languages such as batch files, ANSI control sequences, REXX Execs and ISPF Command Tables in the z/OS operating system, and Postscript and similar script languages that are interpreted by the corresponding operating system or application program can also be misused for Trojan horses.

The more rights the carrier program of a Trojan horse possesses, the more serious the potential damage that can be caused by the Trojan horse.

Examples:

 

•A modified login program can contain a Trojan horse that transmits the name and password of the user over the network to the attacker, who then passes it on to the actual login program. Such Trojan horses are encountered on online services such as AOL or T-Online, for example.

 

•Screen savers, especially those downloaded from the Internet, can contain a hidden function that records the passwords entered by the users when they log in and then transmits the corresponding data back to the attacker.

 

•The Back Orifice program is a client/server application that allows a client to maintain a Windows PC remotely over the network. In particular, it is possible with this program to read and write data as well as to run programs. There is a risk that this program could be integrated into another application program and therefore be used as a Trojan horse. If the Trojan horse is started and a network connection is available, then an attacker could use the remote maintenance function of Back Orifice to gain access without the user noticing. The NetBUS program, which offers similar functionality, should also be mentioned in this regard.

 

•With the help of root kits, which are available for various Unix variants and which contain manipulated versions of system programs such as ps, who, netstat etc. it is possible to keep back doors open for a long time without being detected. The back doors allow an attacker to break into the system and cover up all traces of the attack. In many cases, the files /sbin/in.telnetd, /bin/login, /bin/ps, /bin/who, /bin/netstat, and the C libraries, among other files, are replaced using back doors.

 

•Another source of risk on Unix systems is the use of "." in the $PATH environment variable. If the PATH variable contains the current working directory (.) as a path, then programs located in the current working directory are executed first. In this manner, the superuser could unintentionally run a modified " ls " program with root rights that has been stored in the current working directory when listing the contents of a directory.

 

•One method of obtaining higher-level rights in the z/OS operating system can be exploited by an attacker when the attacker has Update access to the files used during the login procedure (e.g. REXX EXEC) or that are commonly used during processing (e.g. ISPF Command Tables). The attacker can then replace the existing code by code he has programmed himself.

 

13th version 2013 - 969 - Federal Office for Information SecurityIT-Grundschutz-Catalogues T 5 Threat catalogue Deliberate Acts



Поделиться:


Последнее изменение этой страницы: 2017-01-24; просмотров: 188; Нарушение авторского права страницы; Мы поможем в написании вашей работы!

infopedia.su Все материалы представленные на сайте исключительно с целью ознакомления читателями и не преследуют коммерческих целей или нарушение авторских прав. Обратная связь - 34.227.191.136 (0.056 с.)