On 5/27/05, Alexei Chetroi <[EMAIL PROTECTED]> wrote: > On Thu, May 26, 2005 at 09:01:37PM -0400, Selva Nair wrote: > > Date: Thu, 26 May 2005 21:01:37 -0400 > > From: Selva Nair <[EMAIL PROTECTED]> > > Subject: Re: root compromise on debian woody
snip > > > > I built a new kernel from 2.4.30 sources and the exploit no more works. > > Hope this one is safer. > > Which kernel you used before on woody? Was it vanilla kernel from > kernel.org or Debian one? which version? IIRC 2.4.18 is supported by > security team for woody, so if the exploit works for debian's 2.4.18 > kernel it is bad. I was running debian 2.4.18-k7. Now I notice that there is another kernel image available for k7 -- kernel-image-2.4.18-1.k7. Just installed that one and the exploit doesn't work on it. So was I running an unsafe kernel? apt-show-versions show kernel-image-2.4.18-k7/stable uptodate 2.4.18-5 kernel-image-2.4.18-1-k7/stable uptodate 2.4.18-13.1 The timestamp on vmlinuz-2.4.18-k7 is Apr 14 2002 (pretty old) while the 2.4.18-1-k7 is Apr 14 2004.Why is this 2.4.18-k7 kernel so old and buggy and still stated to be uptodate? btw strace on the "bad guy" binary shows it is repeatedly calling brk with an ever increasing offset and repeated SIGSEGVs until it succeeds to execve /bin/sh as root. Possibly the brk system call integer overflow exploit that was fixed 2 years ago?! Selva
