Email based attack on University

classic Classic list List threaded Threaded
70 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Jonathan Dowland-5
On Mon, Oct 07, 2019 at 10:49:01AM +1100, Keith Bainbridge wrote:
>Well I think the bash line means that the bash command uses ~/whatever
>as data (which it could do without the x switch?) like any program
>does with data files. I wasn't aware of this. I read later the the -c
>is not necessary, and wonder if the "s are necessary.

The quotes are only necessary if the path to the binary you want to
invoke are necessary. I use them out of habit, although I forgot that
'~' is not expanded within quotes. Using "$HOME/whatever" instead would
have worked.

-c is key here, because I'm not assuming that ~/whatever is a shell
script. This is telling the shell interpreter to run the command,
whatever it may be. But, as pointed out elsewhere, "noexec" does indeed
defeat running a binary via bash in this exact manner.

>The 3rd suggestion is still a mystery.

That's a loader binary that loads and executes a binary supplied as an
argument. It's actually invoked under the hood whenever you run a
binary. But again as pointed out elsewhere "noexec" defeats this direct
approach; one needs to introduce more indirection.


--
👱🏻 Jonathan Dowland
✎    [hidden email]
🔗 https://jmtd.net

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Jonathan Dowland-5
In reply to this post by tomas@tuxteam.de
On Sat, Oct 05, 2019 at 12:10:14PM +0200, [hidden email] wrote:
>I'm pretty confident that they'll work. Firstly, Jonathan
>knows his stuff.

that's generous, thank you!

--
👱🏻 Jonathan Dowland
✎    [hidden email]
🔗 https://jmtd.net

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

tomas@tuxteam.de
On Mon, Oct 07, 2019 at 02:46:54PM +0100, Jonathan Dowland wrote:
> On Sat, Oct 05, 2019 at 12:10:14PM +0200, [hidden email] wrote:
> >I'm pretty confident that they'll work. Firstly, Jonathan
> >knows his stuff.
>
> that's generous, thank you!

C'mon. Thank *you* for your work on Debian. *That* is generous.

Cheers
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Keith Bainbridge-3
In reply to this post by Jonathan Dowland-5
On 8/10/19 12:45 am, Jonathan Dowland wrote:

> On Mon, Oct 07, 2019 at 10:49:01AM +1100, Keith Bainbridge wrote:
>> Well I think the bash line means that the bash command uses ~/whatever
>> as data (which it could do without the x switch?) like any program
>> does with data files. I wasn't aware of this. I read later the the -c
>> is not necessary, and wonder if the "s are necessary.
>
> The quotes are only necessary if the path to the binary you want to
> invoke are necessary. I use them out of habit, although I forgot that
> '~' is not expanded within quotes. Using "$HOME/whatever" instead would
> have worked.
>
> -c is key here, because I'm not assuming that ~/whatever is a shell
> script. This is telling the shell interpreter to run the command,
> whatever it may be. But, as pointed out elsewhere, "noexec" does indeed
> defeat running a binary via bash in this exact manner.
>
>> The 3rd suggestion is still a mystery.
>
> That's a loader binary that loads and executes a binary supplied as an
> argument. It's actually invoked under the hood whenever you run a
> binary. But again as pointed out elsewhere "noexec" defeats this direct
> approach; one needs to introduce more indirection.
>
>


Thankyou Jonathan.

So I put noexec under the heading of it may deter somebody who is
looking for easy targets.


bash without the -c will run a script however.


Now to make that info useful. I have back-up disks mount noexec and then
unmount as part of the script. BUT I've had a couple of instances of the
back landing in the mount point for some reason. If the script is on the
disk, it can only run if the disk mounts, surely. So now is the time to
check it all out



Again, thanks for persisting.


--
Keith Bainbridge

[hidden email]
+61 (0)447 667 468

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Curt
On 2019-10-08, Keith Bainbridge <[hidden email]> wrote:
>
> So I put noexec under the heading of it may deter somebody who is
> looking for easy targets.
>

The seminal vector of the ANU attack (a concerted, determined, and
sophisticated affair that might very well have been carried out by state
operatives) was social (as in engineering); this could be considered a
clueful lesson--if only they were capable of receiving one--to those
system administrators positing the irrelevancy of human nature in these
technical matters.

Of course, we've already seen someone suggest here crippling modern
email (in a University setting!) to the point of bare-bones ascii text
communication with zero attachments; it is only a matter of time before
one of our brilliant members opines that the veritable solution to our
security concerns is the elimination of the human element altogether.

--
"There are no foreign lands. It is the traveler only who is foreign."
-- Robert Louis Stevenson

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Jonathan Dowland-5
In reply to this post by Keith Bainbridge-3
On Tue Oct 8, 2019 at 5:35 PM Keith Bainbridge wrote:
> So I put noexec under the heading of it may deter somebody who is
> looking for easy targets.

Yes I think of it like a speed bump, rather than a barrier.

> bash without the -c will run a script however.

Yes.

> Now to make that info useful. I have back-up disks mount noexec and then
> unmount as part of the script. BUT I've had a couple of instances of the
> back landing in the mount point for some reason. If the script is on the
> disk, it can only run if the disk mounts, surely. So now is the time to
> check it all out

Yes that sounds correct: if the mount didn't happen, the script isn't
there, so it won't run.

> Again, thanks for persisting.

You're welcome!

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Keith Bainbridge-3
In reply to this post by Curt
On 8/10/19 6:56 pm, Curt wrote:
> The seminal vector of the ANU attack (a concerted, determined, and
> sophisticated affair that might very well have been carried out by state
> operatives) was social (as in engineering);


When the report that another Government may have been behind the attack,
it was also reported that the University is part of the Defence Force
training system.

--
Keith Bainbridge

[hidden email]
+61 (0)447 667 468

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Keith Bainbridge-3
In reply to this post by Jonathan Dowland-5
On 9/10/19 1:42 am, Jonathan Dowland wrote:
> Yes that sounds correct: if the mount didn't happen, the script isn't
> there, so it won't run.


I meant to say that I'd get cron to mount the disk, then run the script
and unmount it.


Thanks again Jonathan.

--
Keith Bainbridge

[hidden email]
+61 (0)447 667 468

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Keith Bainbridge-3
In reply to this post by Jonathan Dowland-5
On 9/10/19 1:42 am, Jonathan Dowland wrote:
>> Now to make that info useful. I have back-up disks mount noexec and then
>> unmount as part of the script. BUT I've had a couple of instances of the
>> back landing in the mount point for some reason. If the script is on the
>> disk, it can only run if the disk mounts, surely. So now is the time to
>> check it all out
> Yes that sounds correct: if the mount didn't happen, the script isn't
> there, so it won't run.
>

Almost all going well.   Thanks Jonathan.

I have an issue trying to run an alias. I get 'alias' not found error.
So I sym-linked my .bashrc into /root. Same result.

If I su, get # prompt and 'alias' works.  Typing alias gets list as
expected. exit. Try su -c and same results. exit.

su -c "alias" - not found.


So where do I put .bashrc for a su - "alias" to work, please.


Should I have started a new topic?


--
Keith Bainbridge

[hidden email]
+61 (0)447 667 468

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Greg Wooledge
On Tue, Oct 15, 2019 at 11:13:00AM +1100, Keith Bainbridge wrote:
> I have an issue trying to run an alias. I get 'alias' not found error. So I
> sym-linked my .bashrc into /root. Same result.

... huh?

> If I su, get # prompt and 'alias' works.  Typing alias gets list as
> expected. exit. Try su -c and same results. exit.
>
> su -c "alias" - not found.

Well, of course.  su -c runs a noninteractive shell.  Noninteractive
shells do not read your aliases, because they don't read ANY shell
startup files.  In addition, noninteractive *bash* shells disable
alias expansions.  Because no sane person wants aliases interfering
with a script.

> So where do I put .bashrc for a su - "alias" to work, please.

I'm not sure I understand your intention.  You want an alias to work
in some sort of scripted "su username -c '...'" command?  Well, stop
expecting that.

If you want to use a command of your own devise in a script, create
that command as a script.  Put it in /usr/local/bin and make it
executable.  Then you can use it in other scripts, which includes
sh -c or su -c invocations.

> Should I have started a new topic?

Probably, but... meh.

1234