[distcc] Exploit in distcc
Martin Pool
martinpool at gmail.com
Thu Sep 16 06:03:01 GMT 2004
On Fri, 27 Aug 2004 10:10:03 -0700, Daniel Kegel <dank at kegel.com> wrote:
> > I wouldn't analyze the whole command line, since it can differ significantly
> > from comiler to compiler (except for the comment trick as noted above). But a
> > built-in, command-line-overwritable list of known compilers would make things
> > way safer. Among other things, it would prevent an entire local network from
> > being compromised just because one machine was compromised. And again, log
> > before rejecting (both for attacker-tracking and debugging purposes).
>
> Already implemented, for non-security reasons. See the patch at
>
> http://kegel.com/crosstool/crosstool-0.28-rc34/patches/distcc-2.16/distcc-stringmap.patch
I should probably merge this, but it would be trivial for an attacker
to bypass it: just something like this....
gcc -MF /home/victim/.ssh/authorized_keys ........
It might be interesting for someone to try a distcc SELinux profile
sometime. I think that would give you really strong assurance that it
can run only a particular compiler and nothing else.
I suppose chrooting it in conjunction with bsd jails or grsecurity to
restrict other system calls might also help.
--
Martin
More information about the distcc
mailing list