henfredemars@infosec.pub
on 25 Aug 2024 18:49
nextcollapse
“At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK,” the researchers note, highlighting that sedexp is an advanced threat that hides in plain site.
These rules contain three parameters that specify its applicability (ACTION== “add”), the device name (KERNEL== “sdb1”), and what script to run when the specified conditions are met (RUN+=“/path/to/script”).
ilmagico@lemmy.world
on 25 Aug 2024 19:17
nextcollapse
Sure, once you have root on the host system you can pretty much do whatever you want … adding entries to udev isn’t anything revolutionary.
LainTrain@lemmy.dbzer0.com
on 26 Aug 2024 11:25
collapse
“Malware”? Fucking cybersec press is the worst.
What’s next, they’re gonna call “sudo” a 0-day vuln?
MonkderVierte@lemmy.ml
on 26 Aug 2024 12:04
collapse
sugar_in_your_tea@sh.itjust.works
on 26 Aug 2024 15:03
collapse
Sure, but this isn’t a privilege escalation, this requires privilege escalation, and it merely installs a backdoor that preserves that privilege.
It’s like installing something in cron or systemd, it’s not a vulnerability in itself, but it can allow an attacker to add a backdoor once they exploit a vulnerability once.
MonkderVierte@lemmy.ml
on 27 Aug 2024 10:11
collapse
Ah fine, that was the first result in google, i didn’t read it enough. But there were some privilege escalations in sudo and lots more of misconfiguration. cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo
threaded - newest
Sure, once you have root on the host system you can pretty much do whatever you want … adding entries to udev isn’t anything revolutionary.
“Malware”? Fucking cybersec press is the worst.
What’s next, they’re gonna call “sudo” a 0-day vuln?
Not 0-day but it had a vew privilege escalation vulns already. …medium.com/sudo-vulnerability-in-linux-lead-to-p…
Sure, but this isn’t a privilege escalation, this requires privilege escalation, and it merely installs a backdoor that preserves that privilege.
It’s like installing something in cron or systemd, it’s not a vulnerability in itself, but it can allow an attacker to add a backdoor once they exploit a vulnerability once.
Ah fine, that was the first result in google, i didn’t read it enough. But there were some privilege escalations in sudo and lots more of misconfiguration. cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo