On Mon, Apr 02, 2001 at 11:03:14AM -0400, Viraj Alankar wrote:
> On Sat, 31 Mar 2001, Tim Yardley wrote:
>
> > As always, there are always ways to improve things. This version of the
> > exploit posted here previously overwrites the dl _start routine and doesnt
> > modify eip. This will help on stack non-exec systems and doesnt require
> > you to calculate the bss offset. I didn't test it, but this should still
> > work on a stackguard compiled program as well.
>
> This works on my RH 6.2 w/ 2.2.16-3. I see that Redhat released a 2.2.17
> RPM on 2/8/2001 with 'ptrace' as one of the keywords. Does anyone know if
> this RPM addresses the problem?
No! Although there is a file called linux-2.2.19-ptrace.patch in
kernel-2.2.17-14.src.rpm, the kernel from (at least)
kernel-2.2.17-14.i686.rpm IS vulnerable (tested using the improved exploit).
Maybe, recompilation from .src.rpm is worth trying, but I've compiled
2.2.19 rather. I've submitted this to bugzilla several minutes ago, wonder
what will happen...
--
JK
