kurt wismer said:
[snipped - getting too long]
all words can be ambiguous in one context or another, however in the
context we're talking about root is most certainly not related to
trees...
If you view privilege levels as one with most privilege and others with
different subsets of permissions (like inheritance in forking child
processes - a family tree) then you can see that we are indeed talking
about "most privileged" being the 'root' of a 'tree' structure. Much the
same as directory structures can be viewed as trees.
further, the "root" in rootkit never applies to the root directory on a
drive... these are all red-herrings...
Geesh - it applies to UNIX slang for most privileged user in a multiuser
environment. That doesn't mean it is a computer science-wide term any
more than "folder" from Windows slang becomes the replacement for
"directory" in describing a filesystem.
technical jargon != slang...
In many cases it should, especially when there is already a technical
term to describe a thing and someone 'invents' a new term to describe
it.
as for suitability, extra-contextual uses do not affect a term's
suitability for use in computer science... you don't see people
complaining about ambiguity of terms like port or packet or pipe, do
you?
They're pretty much accepted terms no matter what OS you're talking
about aren't they? You talk about traversing directories even though
Microsoft might like to call it 'browsing folders'. Directory traversal
exploits don't suddenly become folder browsing exploits just because
Microsoft prefers other names for things.
[snip]
and here you've slipped up... if you have root on machine A you cannot
further compromise machine A,
Not even by making it available for others to get the same privilege? If
I get physical access to a machine with root user logged on that is a
sort of compromise (security is compromised, but the machine itself is
unchanged). If I want back in, I would have to dress up like a courier
again and hope that the opportunity again presents itself. If while
there I make provisions for re-entry from a remote location the machine
is then compromised (changed).
therefore you can only further compromise
the network - which you do by compromising other machines on the
network, by gaining root (or privileges that can be escalated to root)
on them...
Having me logged on as root user (unauthorized) is a breach of security.
The machine is not compromised in the sense that it is still configured
exactly as it was before I got access. In this case the network is
compromised because physical access resrictions weren't properly
enforced.
therefore you're actually agreeing with me...
I agree to disagree.
you have made it quite clear that you think a rootkit in the unix sense
is a set of replacement binaries designed to hide your presence...
No, that is only one intent. It could be a set of programs that cause
information to leak out (or trickle in). Hiding whatever programs and
processes you add to the system is so commonly done that "hiding" has
now become synonymous with "rootkit'.
if that is so then the function of a rootkit in your terms is to hide
things...
That is not at all what I am saying. Picture a kiddie with a t-shirt
that saya "Got root?". I'm sure you've seen such shirts. The rootkit's
function is to answer the unasked question "what do I do next".
Yes, the meaning of rootkit has evidently changed now to mean hiding
whatever it is you decided to do next.
i think you have that backwards... a rootkit is always about getting
root, but the first root you get on a network may not have been through
the use of a rootkit...
From:
http://www.sans.org/y2k/TFN_toolkit.htm
"The Attack
The hackers are using buffer overflow exploits on rpc.ttdbserverd,
rpc.cmsd, sadmind, rpc.statd to gain root access to a machine. In some
cases, they use a variant of the /tmp/bob attack which is associated
with
the ffcore buffer overflow exploit. In any event, if they are successful
in gaining access, they ftp the toolkit into a directory on the machine
...."
Here you see that they mention the root access happening prior to the
FTPing of the "kit" - and also they mention earlier " I'd classify this
attack as a simple rootkit style attack with a DoS payload." so the
payload here isn't furthur rooting of more machines.
[snip]
i'm sorry but your analysis has missed the mark... the context is
clearly about penetration of the machine, not persistence on the
machine... his use of rootkit in that context implies that rootkits are
generally used in the penetration phase (although not in his specific
case)...
Not really, the context (concerning his use of the word) is a
disparaging remark - putting down users of kits of any kind because they
often are using the kit without nearly the skill level of one who writes
kits. His point is that his attacker is no script kiddy toolkit user but
instead is a skilled intruder. He "did it the hard way" refers to his
beleif that the intruder wrote his own exploits rather than using
available kits written by others.
then i suggest you go back and re-read... those exploiters are what *he*
refers to when he says "steenking rootkit toolbox stuff"...
Yes, but again his intention seems to be to belittle the kiddies who use
kits written by others, not to use the term in its most correct form.
[snip]
Again, to me "exploit root access" in this context means exploiting
(leveraging) the fact of root access.
that's all well and nice... but what it means to you is irrelevant as
they specify an example of what they meant and the example was the
toolkit known as "rootkit", whose properties and functions are well
documented...
A "rootkit" and a program calling itself "rootkit" are not the same
thing. The program calling itself rootkit does also happen to be one,
but that program and "all" of its functions are not what defines a
rootkit.
Again in this document
https://tms.symantec.com/members/AnalystReports/030929-Analysis-SHV4Rootkit.pdf
the access (via exploit of a vulnerability) come prior to, and apart
from, the installation of the rootkit. The rootkit itself does not
contain the means to obtain root access.
they meant tools like "rootkit"... it was designed to sniff passwords so
as to allow you to gain root on machines other than the one it was
installed on...
But that was not the defining feature.
can i be blunt (or perhaps just curt)?... don't you think we're past the
point in the discussion where you tell me what you *feel* a rootkit
is?
Absolutely, since you won't listen. I'll agree to disagree and will not
discuss it further since no-one else in these groups seem interested.
)