.
you can also strace ls, normally ls does nothing in /proc, but this ls
had done anything in /proc.
But where is it from?
Have you installed/executed any binarys beside debian-packages?
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble
.
you can also strace ls, normally ls does nothing in /proc, but this ls
had done anything in /proc.
But where is it from?
Have you installed/executed any binarys beside debian-packages?
Regards,
Ralf Dreibrodt
i tried the exploit, it didn't worked, it needs access to /proc.
I gave that user access to /proc and tried it again.
The user got logged out, i got an email.
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln Mail
For fun i tried the exploit, it didn't worked, it needs access to /proc.
I gave that user access to /proc and tried it again.
The user got logged out, i got an email.
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln Mail
://www.securityfocus.com/archive/1/315635
stupid question, but is chmod 700 /proc enough?
This exploit doesn't work anymore.
Do you have any exploit which works after a chmod 700 /proc?
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
://www.securityfocus.com/archive/1/315635
stupid question, but is chmod 700 /proc enough?
This exploit doesn't work anymore.
Do you have any exploit which works after a chmod 700 /proc?
Regards,
Ralf Dreibrodt
outside this
directory
- you can also access files in /directory/where/files/are2 or is this
bug already solved?
There are probably other possibilities to access files outside this
directory.
open_basedir has nothing to do with chroot, they are two different
things.
Regards,
Ralf Dreibrodt
--
Mesos
_every_ binary within the chroot, only
programs outside the chroot should have them.
Well, i think the solution depends on you paranoia level ;)
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln Mail[EMAIL PROTECTED]
is via network.
You can deny network usage for the user, for all ports or only for
specific ports.
Is there any packet filter, which can block only outgoing ssh-sessions?
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln
is via network.
You can deny network usage for the user, for all ports or only for
specific ports.
Is there any packet filter, which can block only outgoing ssh-sessions?
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln
no
UsePrivilegeSeparation yes
But i think i am also not vulnerable because privsep is default since
3.3.
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
pureftpd.
qmail itself perhaps had no securityproblems, but other programs, e.g.
vpopmail or vchkpw.
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
pureftpd.
qmail itself perhaps had no securityproblems, but other programs, e.g.
vpopmail or vchkpw.
Regards,
Ralf Dreibrodt
-rom and compare the harddisk with my tripwire-db, which is
not on the harddisc.
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
-rom and compare the harddisk with my tripwire-db, which is
not on the harddisc.
Regards,
Ralf Dreibrodt
Hi,
Javier Fernández-Sanguino Peña wrote:
On Wed, Sep 18, 2002 at 04:33:25AM +0700, Jean Christophe ANDRÃ? wrote:
Did you take a look at the Referer of those access?
It might help you to track it down...
That's just might be how they get them in the first place. If you buddy
Hi,
Javier Fernández-Sanguino Peña wrote:
On Wed, Sep 18, 2002 at 04:33:25AM +0700, Jean Christophe ANDRÃ? wrote:
Did you take a look at the Referer of those access?
It might help you to track it down...
That's just might be how they get them in the first place. If you buddy
, but you should ask a lawyer before doing stuff like this.
i already made some bad hedrivings a few years ago with something like
this...
Regards,
Ralf Dreibrodt
--
Mesos Telefon 49 221 9639263
Wallstr. 123 Fax 49 221 9646649
51063 Koeln Mail [EMAIL PROTECTED]
--
To UNSUBSCRIBE
Hi,
hedrivings
sorry, i forgot to change this to experience...hedrivings is only for german
people ;)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Michael Renzmann wrote:
i already made some bad hedrivings a few years ago with something like
this...
But one thing I would like to know: what do you mean with hedrivings? :)
experiences.
i asked a friend, what i could say for erfahrungen in english, he
answered hedrivings, so fast,
Hi,
hedrivings
sorry, i forgot to change this to experience...hedrivings is only for german
people ;)
Michael Renzmann wrote:
i already made some bad hedrivings a few years ago with something like
this...
But one thing I would like to know: what do you mean with hedrivings? :)
experiences.
i asked a friend, what i could say for erfahrungen in english, he
answered hedrivings, so fast,
Hi,
Sorry i know this is off topic but dose anyone know where theres a good
HOW-TO on Seting up SAMBA as a print server ??
there is an online book from oreilly:
http://www.oreilly.com/catalog/samba/chapter/book/index.html
Viele Gruesse
Ralf Dreibrodt
--
Mesos Telefon 49 221
solutions for this problem...
sorry, i don't have any debian specific solution, but i just wanted to tell
you, that your solution is wrong and gives a false sense of security.
Regards,
Ralf Dreibrodt
--
Mesos Telefon 49 221 9639263
Wallstr. 123 Fax 49 221 9646649
51063 Koeln Mail
Hi,
StarK wrote:
What kind of security can I use to avoid this ? Can we chroot the PHP
(Yes I know it's a strange sentence :) ?
i know two useable solutions:
1. care about every service:
use SuEXEC for CGIs, Safe Mode for PHP, a good directory and right
structure.
2. chroot everything
Hi,
Craig Dickson wrote:
Florian Weimer wrote:
Two possibilities: The documentation refers to a previous version of
the scanner, or you forgot to restart Apache after installing the
packages.
Installing a new .deb for a server package should automatically restart
the server, should
Hi,
Phillip Hofmeister wrote:
Sowhat does this mean for us running potato on internet servers?
Does this effect the daemon or the client?
this is the information markus friedl send to bugtraq and it is perhaps
the same, the debian-team got?!?
Date: Mon, 24 Jun 2002 15:00:10 -0600
Hi,
Florian Weimer wrote:
Is this worth the effort if there's still a remote nobody exploit?
At least that's the way understand the DSA.
i unterstand it as remote chrooted nobody exploit, this is much more
better than a remote root-exploit.
bye,
Ralf
--
To UNSUBSCRIBE, email to [EMAIL
Hi,
Christian Jaeger wrote:
Hmm, I'm wondering if it's any better: if the attacker manages code
to run in the chrooted daemon, I suspect he can also advise the part
running as root to open up a new root connection? Isn't it that the
separation simply protects against direct shell launch
Hi,
Mark Janssen wrote:
On Tue, 2002-06-25 at 18:11, Phillip Hofmeister wrote:
*TECHNICALLY* every login is root. Getty runs as root and then gives up
root
to the authenticated user once PAM gives the okay...Does this mean the user
can break back into root? If the exit their shell
Hi,
i just saw an error on a debian box with apache(-common) 1.3.9-13.2:
drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var
drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log
drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache
-rw-rw-r--1 www-data
Hi,
Thomas Thurman wrote:
On Tue, 12 Mar 2002, Ralf Dreibrodt wrote:
tail -n 1 /var/log/apache/access.log
127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET
/cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148
to whom belongs this problem?
the programmer, who used GET
Hi,
i just saw an error on a debian box with apache(-common) 1.3.9-13.2:
drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var
drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log
drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache
-rw-rw-r--1 www-data
Hi,
Thomas Thurman wrote:
On Tue, 12 Mar 2002, Ralf Dreibrodt wrote:
tail -n 1 /var/log/apache/access.log
127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET
/cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148
to whom belongs this problem?
the programmer, who used GET
Hi,
Javier Fernández-Sanguino Peña wrote:
On Wed, Feb 06, 2002 at 05:31:23PM +0100, Christian Hammers wrote:
On Wed, Feb 06, 2002 at 05:26:27PM +0100, Ralf Dreibrodt wrote:
just run apache chrooted and you don?t have problems like this.
Doesn't work well if you have multiple virtual
Hi,
Javier Fernández-Sanguino Peña wrote:
On Wed, Feb 06, 2002 at 05:31:23PM +0100, Christian Hammers wrote:
On Wed, Feb 06, 2002 at 05:26:27PM +0100, Ralf Dreibrodt wrote:
just run apache chrooted and you don?t have problems like this.
Doesn't work well if you have multiple virtual
Hi,
Ramon Acedo wrote:
I'd like to have a map like this:
ftp1.mydomain.net --- 192.168.1.10
ftp2.mydomain.net --- 192.168.1.50
www1.mydomain.net --- 192.168.1.12
www2.mydomain.net --- 192.168.1.33
that´s hard, tricky and not always possible.
most protocols (e.g. ftp, telnet, http
Hi,
Ramon Acedo wrote:
I'd like to have a map like this:
ftp1.mydomain.net --- 192.168.1.10
ftp2.mydomain.net --- 192.168.1.50
www1.mydomain.net --- 192.168.1.12
www2.mydomain.net --- 192.168.1.33
that´s hard, tricky and not always possible.
most protocols (e.g. ftp, telnet, http
Hi,
brendan hack wrote:
I received an error saying 'test_database' not found.
of course you should change $db to you db-name.
I then
removed all access privileges from the anonymous user to the test
database and received the following:
FAILED: USE test
REASON: Access denied for user:
Hi,
Dmitry N. Hramtsov schrieb:
Any comments or counsel?
Maybe debian developers should make a quick and dirty fix for this,
because (as I can understand) php developers already knows about this
hole and do still nothing.
just run apache chrooted and you don´t have problems like this.
Hi,
brendan hack wrote:
I received an error saying 'test_database' not found.
of course you should change $db to you db-name.
I then
removed all access privileges from the anonymous user to the test
database and received the following:
FAILED: USE test
REASON: Access denied for user:
Hi,
David N Moore wrote:
i'm a new poster here, but one thing that strikes me is that the
source to passwd should be hanging around somewhere. It wouldn't be
incredibly difficult to make a custom version which does not ask for
the original password, right? Then you could set it to be the
Hi,
David N Moore wrote:
i'm a new poster here, but one thing that strikes me is that the
source to passwd should be hanging around somewhere. It wouldn't be
incredibly difficult to make a custom version which does not ask for
the original password, right? Then you could set it to be the
hi,
anyone to offer any
explanation will be showered with greatness!
here is an example:
#include stdio.h
void example()
{
char a[10];
char b[10];
strcpy(a, 123456789);
printf (a: %s\n, a);
b[20]='X';
b[21]='Y';
b[22]='Z';
printf(a: %s\n, a);
return;
}
main()
{
example();
Hi,
Kevin van Haaren wrote:
if I:
ssh in as a user account
su root
have a look at this:
ralf@debian:~$ su
Password:
debian:/home/ralf# set | grep LOGNAME
LOGNAME=ralf
debian:/home/ralf# exit
ralf@debian:~$ su -
Password:
debian:~# set | grep LOGNAME
LOGNAME=root
su != su -
what about
Hi,
Kevin van Haaren wrote:
if I:
ssh in as a user account
su root
have a look at this:
[EMAIL PROTECTED]:~$ su
Password:
debian:/home/ralf# set | grep LOGNAME
LOGNAME=ralf
debian:/home/ralf# exit
[EMAIL PROTECTED]:~$ su -
Password:
debian:~# set | grep LOGNAME
LOGNAME=root
su != su -
Hi,
Dietmar Braun schrieb:
Ok, I admit that this isn't practicable (I shouldn't write mails when I am
VERY angry...),
but the point is:
from USA and Germany, we normally get also mails we want and we need.
From Korea/China and other spammers heaven, we get nothing but spam -
not we, you!
Sorry but could someone please summerize what the Hacked too? thread is
about?
someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.
just ignore the thread ;)
bye
Ralf
--
To
Sorry but could someone please summerize what the Hacked too? thread is
about?
someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.
just ignore the thread ;)
bye
Ralf
Hi,
There is a tool set, including a Linux kernel patch: UserIPacct
(http://ramses.smeyers.be/homepage/useripacct/). But I do not know how
stable it is. Besides, the last patch is for 2.4.6 and I need a more
up-to-date 2.4 kernel.
yeah, that looks nice, but who'd run a 2.4.6 these
Hi,
There is a tool set, including a Linux kernel patch: UserIPacct
(http://ramses.smeyers.be/homepage/useripacct/). But I do not know how
stable it is. Besides, the last patch is for 2.4.6 and I need a more
up-to-date 2.4 kernel.
yeah, that looks nice, but who'd run a 2.4.6 these
Hi,
Gary MacDougall wrote:
Actually your point of view basically states that its ok for anyone to
tresspass.
no, i just said, that laws can´t help against unknown people.
until now nobody broke in my house, and i think because of two facts:
- i always keep my doors and windows closed (when
Hi,
Gary MacDougall wrote:
Hmmm... Mom has a good point.
I think the bottom line is that we'll never have 100% security until
there are laws that protect the break-in's and hacking that occurs.
Still laws... not crappy little wrist slapping type laws.
laws can´t do anything against
Hi,
I noticed that xdm behaves different if I enter a non-existing username
of if I enter a wrong password. In the last case, there is a short pause.
Knowing that it is possible to find valid usernames. I do not think that
this pause is a good idea. Correct me if I'm wrong.
i think the
Hi,
Gary MacDougall wrote:
Hmmm... Mom has a good point.
I think the bottom line is that we'll never have 100% security until
there are laws that protect the break-in's and hacking that occurs.
Still laws... not crappy little wrist slapping type laws.
laws can´t do anything against
Hi,
I noticed that xdm behaves different if I enter a non-existing username
of if I enter a wrong password. In the last case, there is a short pause.
Knowing that it is possible to find valid usernames. I do not think that
this pause is a good idea. Correct me if I'm wrong.
i think the
Hi,
J. Paul Bruns-Bielkowicz wrote:
Commenting out things in /etc/services doesn't
disable anything.
It seems to. The above ports were closed just by commenting them out of
/etc/services and then rebooting.
well, there are daemons which don't know on which port they should run.
they
Hi,
J. Paul Bruns-Bielkowicz wrote:
Commenting out things in /etc/services doesn't
disable anything.
It seems to. The above ports were closed just by commenting them out of
/etc/services and then rebooting.
well, there are daemons which don't know on which port they should run.
they
Hi,
Trouble is, the IP addresses that access squid don't have host
names (ie. they don't exist) and they keep changing. Is there any way
to block access to this and is there a good FAQ, etc.
there is a good FAQ at /usr/doc/squid/FAQ.html (belongs to web/squid).
But you should not block
Hi,
Trouble is, the IP addresses that access squid don't have host
names (ie. they don't exist) and they keep changing. Is there any way
to block access to this and is there a good FAQ, etc.
there is a good FAQ at /usr/doc/squid/FAQ.html (belongs to web/squid).
But you should not block these
Hi,
Mathias Gygax wrote:
On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote:
Root is God. Anything you do on the system is potentially visible to
root.
this is, with the right patches applied, not true.
well, i thought this is the definition of root.
What's about
Hi,
Mathias Gygax wrote:
i wanted to post something about lids, but then i thought, it doesn't
make sense in this case.
i think it does make sense.
as far as i have read the problem is, that the (wo)man, who has a
root-account is able to read mails.
what is the advantage of installing
Hi,
Mathias Gygax wrote:
On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote:
No, you can't. No matter how you cut it, root can install a new
kernel, sans LIDS and write to his/her home dir.
how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo
binary?
Hi,
Mathias Gygax wrote:
On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote:
Root is God. Anything you do on the system is potentially visible to
root.
this is, with the right patches applied, not true.
well, i thought this is the definition of root.
What's about
Hi,
Mathias Gygax wrote:
On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote:
No, you can't. No matter how you cut it, root can install a new
kernel, sans LIDS and write to his/her home dir.
how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo
binary?
65 matches
Mail list logo