527
SATAN and the Internet Inferno
Field
Description
rs
Indicates that the vulnerability could lead to root access on the target system
us
Indicates that a user shell could be invoked
ns
Indicates that a shell owned by the nobody (uid = 2) user could be invoked
uw
Indicates that the vulnerability could lead to the writing of a file as a nonroot user
nr
Indicates that the vulnerability could lead to a file read as the nobody user
The SATAN documentation does not mention three other listings that are used: x, l, and nw. The l severity corresponds to login information gathered from rusers.satan and finger.satan. The x entry indicates an unknown severity, but with potential for access. The nw indicates that the nobody user can write files. The ns entry corresponds to ITL class 6; the nr entry corresponds to ITL class 4; and the others (except x and l) correspond to ITL class 5. (Note that permissions corresponding to the nobody user directly relate to world access settings on files.) SATAN breaks down the ITL class 5 group into three parts: the ability to execute a program as any non-root user; the ability to execute a program as the nobody user; and the ability to write files as any non-root user. In general, if a hacker can modify any non-root user file, the hacker can modify executables that the user will run, resulting in the ability of the hacker to gain execution access. The nobody user concept is quite closely linked with the holes of NFS only.
Trusted ($trusted) This field consists of two tokens separated by an @—the left part being a user and the right part being a host. (If no @ is included, the entire field is interpreted as the user part.) It represents an account or directory that trusts another target. The user part of that account is selected from these four choices: user, root, nobody, or ANY. The host part can be either the target system or ANY, but only the target system makes sense for the Trusted field. The $trusted account trusts users as specified by the $trustee field.
Trustee ($trustee) This field represents those users and systems that are trusted by the accounts listed in the $trusted field. It uses the same format as the $trusted field.
Canonical Service Output ($canonical) For non-vulnerability records, this contains a formatted version of the information, either user name, home dir, last login or filesys, clients. For vulnerability records, this contains a description of the problem type.
p1vPHCPannex1
Internet Security Pro Ref 577-7
dgarratt 1-31-96
CH 8
LP#4