The following assessment was done in answer to the question of how our Bootable CD system could be exploited to gain root access. It is based on a rapid assessment and testing process that took only about 4 hours for a group of reasonably skilled assessors with an additional 4 hours of help by an expert and includes the development team's decisions about mitigation. It is not to be taken as definitive, but rather as representative of reasonable expectations for the potential for privilege exploitation in our Bootable CD environment. Likelihood and impact values are indicated for 'secure mode' operation.
audio/video viewing: An attacker could use audio or video devices attached to the system to remotely view keyboard entry or listen to people saying passwords that could grant root access. This would likely require root access in order to exploit and is highly unlikely in the current Bootable CD configuration. No additional mitigation was applied. Likelihood: LOW - Impact: LOW
breaking key management systems: It is possible that there is an as yet unpublished vulnerability in ssh key management that could allow root access if root remote logins are used in circumstances that would permit such an exploit. The ssh service is not enabled by default, and key management is intended to provide for maximum interoperability. Additional constraints can be implemented by customizing /etc/ssh/sshd_config in order to restrict cryptosystem and key management use as well as to remove remote root access. No other mitigation has been applied. Likelihood: LOW - Impact: LOW
bribes and extortion: An attacker could bribe or extort the Bootable CD developers or others in the supply chain to include an undisclosed vulnerability. The current development team consists of US government cleared personnel who have widespread reputations for integrity. Nevertheless, this is a possibility. Others in the environment could also be bribed to alter the system hardware, media, etc. If assured delivery is required for special applicaitons, cryptographic checksums are available to verify distribution content. No other mitigation has been applied. Likelihood: LOW - Impact: LOW
call forwarding fakery: There might be some way to exploit Bootable CD if used in dial-up situations by forwarding calls to false telephone systems and applying man-in-the-middle attacks. This could then be used to exploit system interdependencies. By default, our Bootable CD does not have many such dependencies, however, configurations specific to specific applicaitons may cause deviations from this situation. No other mitigation has been applied. Likelihood: LOW - Impact: LOW
content-based attacks: Malicious content, such as a malicious web page or downloadable software could provide temporary root access if loaded and used by a user logged in as root on the Bootable CD box. This is partially mitigated by the unmodifiable nature of CD-booted Bootable CD systems, thus making non Bootable CD-specific attacks unlikely to succeed. Configurations include javascript disabled by default in the Mozilla which mitigates this sort of attack to a limited extent. Other content-based attacks include exploits against libraries used by applications and similar mechanisms. The development team has made an effort to identify and eliminate all such configuration errors in default configurations. In addition, the 'WGsec' script mitigates many such attacks by limiting information flow across network interfaces, thus reducing the potential for abuse. No other mitigation has been applied. Likelihood: LOW - Impact: LOW
covert channels: It has been shown possible to derive information about ssh passwords from keystroke timing. Other similar covert channels may exist in our Bootable CD to permit a root password to be more easily guessed based on observing covert information flows. By default external services are not enabled and thus only information about remote passwords will be revealed by these attacks, however, if ssh service is enabled for inbound connections, this attack will be possible. No additional mitigation has been applied. Likelihood: LOW - Impact: LOW
cryptanalysis: The ssh cryptographic system might be exploitable at some time in the future to allow keys to be determined through cryptanalysis so as to gain access to a root password in transit or so as to bypass normal controls on remote access. This service is not enabled by default and no feasible attacks are currently published. No additional mitigation has been applied. Likelihood: LOW - Impact: LOW
data diddling: It might be possible to exploit a race condition in a GCC compilation if user access is available so as to alter a temporary file during compilation and cause the root user to execute user attack code. No such example is currently known. If the floppy drive contains a floppy, is not write protected, and was not present at bootup, a non-root user might be able to access the floppy and create or alter a PLAC.go file or program called by PLAC.go so as to cause the execution a program by root at the next system reboot. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
dependency analysis and exploitation: Outside services such as DNS could be exploited in a networked environment to induce the Bootable CD system to go to a wrong site to perform activities, leading to possible man-in-the-middle attacks that could induce the downloading of a Trojan horse or other similar condition which could ultimately result in granting root access. Such an attack would likely have to be customized to our Bootable CD because of its largely read-only file structure. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
device access exploitation: The floppy disk could be subverted (as describe earlier) or a device with DMA access and accessible from a non-root account might be exploited to gain indirect access to processor memory. No known vulnerabilities of this type exist in our Bootable CD, however it is possible that with some devices not yet known to the developers such a vulnerability exists. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
emergency procedure exploitation: If an emergency can be used to induce the root user to leave the console unguarded during an emergency and physical access can be gained, root access could be attained. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
environment corruption: It is possible to create an environment in which the root user executes a Trojan horse. As an example, the root user could simply run a user program (or be induced to do so). In addition, '.' is at the end of the root path and several root path directories do not exist in all implementations. Testing indicates that no root path exploit based on directories in the root path operates because of file and directory protections and the read-only nature of large parts of the Bootable CD file system, however, if the root user mistypes a command and is in a user directory with an executable of the name as mistyped, it is possible to force the root user to execute Trojan horse code as specified by the user. This can be readily mitigated by setting the root path to a different value, however, the developers have chosen this option for convenience. The script 'WGsec' has been provided to mitigate this risk by removing the '.' from the root path and performing other enhanced security functions at the expense of ease of use. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
error insertion and analysis: It is possible that induced errors could cause information to be revealed that could be exploited through analysis and used to provide a root password or other root access. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
error-induced mis-operation: Programming errors might be exploitable to induce system misoperation granting root privileges. As an example, when running tcpdump, some binary characters can be displayed on the video screen. If the attacker can craft a packet capable of displaying a sequence of bytes that are interpreted by the VT100 emulator used in Xterm, they might be able to induce the terminal emulator to store and enter on behalf of root user a command that will grant root access to the attacker. This would have to be specifically crafted to grant access to root under our Bootable CD because of the requirement to enable services and modify only modifiable file system areas. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
errors and omissions: If the root user does not follow the directions in the tutorial or fails to take into account the factors identified in this document, the Bootable CD system may become susceptible to privilege escalation. Design errors and omissions in Linux, such as setUID programs have been largely eliminated in our Bootable CD distribution, however some may remain. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW
false updates: If the root user gets a copy of the Bootable CD distribution from other than a trusted channel it could contain Trojan horses that would grant root access. The trusted method of getting a copy of the Bootable CD distribution is via a credit card purchase from all.net over the Web. If higher assurance is required, an MD5 checksum of the content of the CD-ROM can be supplied or other speciall arangements made for integrity assurance in the transfer process. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: HIGH
fictitious people: A fictitious person could try to provide false updates under color of authority. Similarly non-authoritative information about operation or configuration could be used to subvert protection. Only online information from all.net or content of a Bootable CD should be trusted as authoritative with respect to your distribution. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW
get a job: If someone untrustoworthy were to get a job on the Bootable CD development team, they could provide the means to subvert protection. All current developers hold US government clearances and team members are restricted and carefully screened. Applications implemented in Bootable CD do not have privileges and thus cannot provide additional privileges to the user unless they are run by root and contain Trojan horse code that functions in the Bootable CD environment. Reboots defeat any permanent access granted in this manner. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: MID
hangup hooking: If dial-up is in use with Bootable CD, it is possible that improperly closed inbound dial-up sessions by root could lead to root compromise. We advise against dial-up access to root accounts unless additional precautions have been taken, such as the use of ssh as the only method for access. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
hardware failure - system flaw exploitation: Hardware failures in the write protection mechanism of floppy disks could be exploited to modify floppy contents if floppy versions of PLAC.go or other content it uses could be modified. This is not normally possible because of software protections, but poorly implemented PLAC.go files could combine with such a fault to produce root access. Other hardware failures have some chance of producing unanticipated machine states that could result in root access. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
illegal value insertion: If there are system call checks that fail to detect illegal values and those values would grant root access under Linux, they may be used to escalate privileges under our Bootable CD. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
imperfect daemon exploits: Our Bootable CD starts up with no vulnerable daemons running. Unless daemons are enabled, no remote access or vulnerability exists that we are aware of. Normal daemon startup in our Bootable CD as described in the tutorial provides mitigaiton against most risks associated with those daemons, however, the potential residual risks are reviewed here:
No additional mitigation has been applied other than this notice and the 'WGsec' script.
inappropriate defaults: Our Bootable CD is configured with sshd remote access without password enabled. This was determined to be desirable for many cases when LAN-based exchanges were necessary. If directions are followed, passwords will set before sshd is started except in cases where physical protection is used to limit LAN access. Similarly, there is a '.' at the end of the path for root. This is provided for convenience of access, however, can lead to root compromise if root runs programs from within user directories. If desired, the root user may remove this vulnerability by resetting the path in the PLAC.go file. The script 'WGsec' has been provided to mitigate this vulnerability as well as others identified in this assessment, at the expense of ease of use. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
infrastructure interference: By interfering in infrastructures, it might be possible to get a root password if the root user is using insecure services to get email or to perform similar tasks using the same password as is used for root on the Bootable CD system. Infrastructure interference could also be used to invoke a man-in-the-middle attack as described above. Insecure services have been minimized in our Bootable CD so as to reduce their use, however, by poor choices, root users can still support such compromises. The 'WGsec' script firewalls against almost all such attacks. The Bootable CD default selection of DNS servers is also intended to favor those with higher trust levels. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
infrastructure observation: The pop3 service provides the potential for infrastructure observation that could contain root passwords that might be gleaned in this manner. Prudence in the use of these services is urged. The 'WGsec' script firewalls against pop3 usage. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
input overflow: See imperfect daemons above. Internal input overflows that might otherwise grant root access do not grant this access under our Bootable CD because none of those programs are setUID on the Bootable CD. Input overflows to potentially vulnerable daemons that are run as root may be invoked under some circumstances to gain access and escalate privilege, but testing has not revealed any that currently operate against Bootable CD systems. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
insertion in transit: A Trojan Horse could be inserted in transit, thus affecting a root user who is remotely accessing data. Similarly, a forged external DNS response could lead to Trojan or man in middle attack through an improperly trusted remote system. These can only be invoked of the attacker has the ability to gain the root password and gain physical or ssh access to the Bootable CD system and if additional configuration changes have not been made to prevent such attack. In order to gain feedback, such an attack would require return paths which are largely reduced via the 'WGsec' script's firewall. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: MID
interrupt sequence mishandling: It is possible that interrupt sequence mishandling could induce an escalation of privilege, however, we are aware of none and do not know of any exploits that would tend to indicate a likelihood that one will be found in the foreseeable future. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
invalid values on calls: It is possible that invalid values on Linux operating system calls could induce an escalation of privilege, however, we are aware of none and do not know of any exploits that would tend to indicate a likelihood that one will be found in the foreseeable future. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
man-in-the-middle: As described above. Likelihood: MID - Impact: MID
modification in transit: As described above, the same effects can be seen as in infrastructure interference. Likelihood: MID - Impact: MID
multiple error inducement: Most of the attacks described herein involve multiple error inducement. Other multiple error induced faults are likely to exist and may be exploited, but we are not aware of any at this time. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
network service and protocol attacks: The only known attacks are those indicated under imperfect daemons described above. Our Bootable CD mitigates this risk to a large extent by not automatically starting any network services, by providing special secure servers where possible, and by controlling less secure services by configuration management. Most protocols are disabled by default so that UDP viruses and similar attacks are not in effect. Additional protection can be attained by applying firewall technology available on the Bootable CD system and by additional configuration changes suited to the specific needs of the user. The script 'WGsec' includes firewall mitigation of many of these vulnerabilities. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
observation in transit: As described above, insecure protocols can be observed and exploited to gain information that might be useful in a privilege escalation. This sort of attack only applies if those same passwords are used in an enabled service that permits remote access, such as ssh. Internal escalation from user accounts is not aided by this information. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW
password guessing: Password guessing is possible, however, the password file is not readable except by root, so only brute force techniques or those exploiting weak protocols or enabled services can operate. By default, remote access is not available, so only manual guessing or physically enhanced guessing through added hardware at the console can be used to exploit this unless remote services are enabled. Default password guess counts for sshd are set reasonably low to prevent unfettered guessing and additional firewall rules can be used to further mitigate this problem if particular systems are attempting such guesses. Audit trails also provide notice of such attempts and weak passwords are notified by the password changing program. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: MID
perception management a.k.a. human engineering: It is feasible for an attacker to gain root access by deceptions oriented against those with root access. A Bootable CD system provides no support to mitigate against this risk other than the requirement for authorized users with root access to enable services in order to provide access and the default settings for system services. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW
piggybacking: By piggybacking on a web site or other remote service, a Trojan horse could be introduced into the data stream, thus inducing the web browser to act on root's behalf to grant otherwise unauthorized access to the system. Similar possibilities exist for other services. Configurations for web browsers are defaulted to prevent javascript and known vulnerbialities, however, vulnerabilities no doubt remain in these applicaitons. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
* protection missetting exploitation: As above, some of the settings are designed to afford increased utility over protection. Setting should be changed and instructions followed if different behavior is desired. No Bootable CD files are setUID and most files and directories are configured so as to prevent examination or modification as appropriate. All settings within the most commonly exploited areas are also protected by the fact that they are implemented read-only on an ISO9660 loopback filesystem. This makes changing protections difficult if not impossible without root access. In installations with writeable user file systems some of the added layers of protection is not in effect. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
race conditions: It is possible that there are compiler race conditions that would induce Bootable CD systems in which root users are doing compilations to grant privilege escalation to a local user who is able to exploit a race condition to alter the partially compiled code produced by the compiler befome final compilation or loading and get the root user to run the resulting program. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
replay attacks: The replay of a plaintext password could be used to regain root access, however, no remote root access is available except via ssh which prevents replay attacks, and only then if enabled by the root user. Recorded keystrokes using a phyical tapping device would afford a successful replay attack. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
shoulder surfing: If the root user allows others to observe the entry of a password and if physical access or remote access with sshd enabled is permitted to the system, the root login password can be exploited for root access. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: MID
spoofing and masquerading: If the root user can be convinced to act imprudently by a spoofing or masquerading process, privilege can be gained and escalated. Similarly, complex interdependencies with other systems, such as those described above, might be exploited to grant root access. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
strategic or tactical deceptions: As above, deceptions against authorized users or systems configured to allow root privileges can potentially provide these privileges. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW
system maintenance: Systems maintenance personnel with physical access can gain access to system content and alter system function. In addition, they could leave a sniffing device which would gain them root user information and might allow subsequent access assuming services to support such access are made available by the root user. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
Trojan horses: Trojan horses, as indicated above, could be used to gain root access if executed by the root user and if properly designed to function in the Bootable CD environment. Configurations for web browsers are defaulted to prevent javascript and known vulnerbialities, however, vulnerabilities no doubt remain in these applicaitons. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW
undocumented or unknown function exploitation: It is possible that there are undocumented functions associated with services available under our Bootable CD, however, none have been intentionally introduced by the Bootable CD distribution team in the Bootable CD distribution made available to the public. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
viruses: If the root user executes a virus which is designed to operate in our Bootable CD environment, that virus will have root access during its execution, however, infection will be substantially limited by the read-only nature of much of the Bootable CD environment and by the loss of unsaved viral content across reboots. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW
wire closet attacks: Physical infrastructure attack could be used to facilitate other attacks described above. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW
These are the only known classes of vulnerabilities that would grant root access to our Bootable CD system implemented following the tutorial and other instructions provided. Additional vulnerability and mitigation information will be provided in updates to this document available on our Bootable CD distributions and on our web site. The web site will reflect the most recent assessment while the individual CD will reflect the assessment as of the time of its release.