[distcc] Exploit in distcc

Martin Pool martinpool at gmail.com
Thu Sep 16 06:03:01 GMT 2004


On Fri, 27 Aug 2004 10:10:03 -0700, Daniel Kegel <dank at kegel.com> wrote:

> > I wouldn't analyze the whole command line, since it can differ significantly
> > from comiler to compiler (except for the comment trick as noted above). But a
> > built-in, command-line-overwritable list of known compilers would make things
> > way safer. Among other things, it would prevent an entire local network from
> > being compromised just because one machine was compromised. And again, log
> > before rejecting (both for attacker-tracking and debugging purposes).
> 
> Already implemented, for non-security reasons.  See the patch at
> 
> http://kegel.com/crosstool/crosstool-0.28-rc34/patches/distcc-2.16/distcc-stringmap.patch

I should probably merge this, but it would be trivial for an attacker
to bypass it: just something like this....

  gcc -MF /home/victim/.ssh/authorized_keys ........

It might be interesting for someone to try a distcc SELinux profile
sometime.  I think that would give you really strong assurance that it
can run only a particular compiler and nothing else.

I suppose chrooting it in conjunction with bsd jails or grsecurity to
restrict other system calls might also help.

-- 
Martin



More information about the distcc mailing list