Lessons Learned - Offense

10 Nov 2017

Most of the bugs mentioned on this site were caused by trivially unsafe software practices.

Doing things as root or other privileged accounts unnecessarily.

Consider a situation where root changes access permissions on directory owned by a user. What if the user first renames the directory, then creates it as a symlink that points to /etc/passwd?

Writing predictable filenames to /tmp as root. Use of /tmp should be avoided whenever possible.

The root user can write anywhere on the filesystem, so why use a world writable location like /tmp? Doing so presents potential security issues. This is a very common security issue, yet trivial to avoid.

Using unsafe permissions. Configuration files that store credentials should not be world readable.

Files that contain sensitive information should be adequately protected by restrictive permissions. Do not assume that a file can only be viewed by someone with shell access, or that a jailed shell are sufficient to protect world readable data. Permissions are the first line of defense. Any software that requires permissions of 777 anywhere should be avoided.

Not validating or sanitizing data.

IP addresses have a specific format. IPv4 addresses never contain anything other than numbers and dots, for example. Validate/sanitize all data.

Know your environment. Know the high value targets.

What might someone take advantage of to get root on a cPanel server? /root/.accesshash is one resource. A user with the "all" privilege in /var/cpanel/resellers is another.