Bug#544756: [Secure-testing-team] Bug#544756: linux-image-2.6.26-2-686: Kernel still vulnerable by dsa-1862

2009-09-03 Thread Micah Anderson 
* Christoph Siess c...@geekhost.info [2009-09-02 14:57-0400]:
 Package: linux-image-2.6.26-2-686
 Version: 2.6.26-17lenny2
 Severity: critical
 Tags: security
 Justification: root security hole
 
 
 Hi,
 
 according to http://www.debian.org/security/2009/dsa-1862 this Version of the 
 2.6.26-2 Kernel should 
 not be vulnerable to CVE-2009-2692.
 Unfortunately I'm still able to break my system:
 c...@server:~$ gcc exploit.c -o exploit
 c...@server:~$ ./exploit
 sh-3.2# id
 uid=0(root) gid=0(root) groups=115(wheel),1000(chs)
 
 I got the exploit from http://www.risesecurity.org/exploits/linux-sendpage.c
 
 Correct my if I got something wrong, but according to my understanding this 
 shouldn't be possible 
 with version 2.6.26-17lenny2.


I'm afraid this doesn't work on any of the systems i am running
2.6.26-17lenny2 on:

mi...@tern:~$ wget http://www.risesecurity.org/exploits/linux-sendpage.c
Saving to: `linux-sendpage.c'
100%[]
2009-09-03 19:01:43 (24.2 KB/s) - `linux-sendpage.c' saved [9380/9380]
mi...@tern:~$ gcc linux-sendpage.c -o exploit
mi...@tern:~$ ./exploit 
sh-3.2$ id
uid=1001(micah) gid=1007(micah)
groups=4(adm),20(dialout),33(www-data),100(users),1007(micah)

micah



signature.asc
Description: Digital signature

Bug#544756: linux-image-2.6.26-2-686: Kernel still vulnerable by dsa-1862

2009-09-02 Thread Christoph Siess 
Package: linux-image-2.6.26-2-686
Version: 2.6.26-17lenny2
Severity: critical
Tags: security
Justification: root security hole


Hi,

according to http://www.debian.org/security/2009/dsa-1862 this Version of the 
2.6.26-2 Kernel should 
not be vulnerable to CVE-2009-2692.
Unfortunately I'm still able to break my system:
c...@server:~$ gcc exploit.c -o exploit
c...@server:~$ ./exploit
sh-3.2# id
uid=0(root) gid=0(root) groups=115(wheel),1000(chs)

I got the exploit from http://www.risesecurity.org/exploits/linux-sendpage.c

Correct my if I got something wrong, but according to my understanding this 
shouldn't be possible 
with version 2.6.26-17lenny2.


regards,
Christoph Siess
-- Package-specific info:
** Version:
Linux version 2.6.26-2-686 (Debian 2.6.26-17lenny1) (da...@debian.org) (gcc 
version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Sun Jul 26 
21:25:33 UTC 2009

** Command line:
auto BOOT_IMAGE=Standardkernel ro root=902

** Tainted: G D (128)

** Kernel log:
[4.392639] raid1: raid set md1 active with 2 out of 2 mirrors
[4.440919] md: bindsdb1
[4.441162] md: bindsda1
[4.453869] raid1: raid set md0 active with 2 out of 2 mirrors
[4.569076] device-mapper: uevent: version 1.0.3
[4.569839] device-mapper: ioctl: 4.13.0-ioctl (2007-10-18) initialised: 
dm-de...@redhat.com
[4.710503] kjournald starting.  Commit interval 5 seconds
[4.710570] EXT3-fs: mounted filesystem with ordered data mode.
[6.096023] udevd version 125 started
[6.723961] Linux agpgart interface v0.103
[6.732652] agpgart: Detected AGP bridge 0
[6.736548] agpgart: AGP aperture is 128M @ 0xe800
[6.930466] input: Power Button (FF) as /class/input/input1
[6.956346] ACPI: Power Button (FF) [PWRF]
[6.956458] input: Power Button (CM) as /class/input/input2
[6.990298] ACPI: Power Button (CM) [PWRB]
[7.195482] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
[7.201614] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
[7.802580] input: PC Speaker as /class/input/input3
[7.808578] Error: Driver 'pcspkr' is already registered, aborting...
[7.980620] parport_pc 00:0b: reported by Plug and Play ACPI
[7.980731] parport0: PC-style at 0x378, irq 7 [PCSPP]
[8.537383] Adding 4200888k swap on /dev/md0.  Priority:-1 extents:1 
across:4200888k
[8.572363] EXT3 FS on md2, internal journal
[9.341152] loop: module loaded
[9.434061] md: md5 stopped.
[9.434236] md: md4 stopped.
[   10.157164] kjournald starting.  Commit interval 5 seconds
[   10.166578] EXT3 FS on md1, internal journal
[   10.166578] EXT3-fs: mounted filesystem with ordered data mode.
[   10.189392] kjournald starting.  Commit interval 5 seconds
[   10.246160] EXT3 FS on dm-0, internal journal
[   10.246160] EXT3-fs: mounted filesystem with ordered data mode.
[   10.296703] kjournald starting.  Commit interval 5 seconds
[   10.300344] EXT3 FS on dm-1, internal journal
[   10.300441] EXT3-fs: mounted filesystem with ordered data mode.
[   11.960656] NET: Registered protocol family 10
[   11.961204] lo: Disabled Privacy Extensions
[   12.062284] r8169: eth1: link up
[   12.514199] r8169: eth0: link up
[   13.526856] RPC: Registered udp transport module.
[   13.526927] RPC: Registered tcp transport module.
[   13.682438] Installing knfsd (copyright (C) 1996 o...@monad.swb.de).
[   14.918450] OCFS2 Node Manager 1.5.0
[   14.925701] OCFS2 DLM 1.5.0
[   14.925701] ocfs2: Registered cluster interface o2cb
[   14.941711] OCFS2 DLMFS 1.5.0
[   14.942425] OCFS2 User DLM kernel interface loaded
[   22.808015] eth1: no IPv6 routers present
[   23.460010] eth0: no IPv6 routers present
[   28.964019] IPVS: Registered protocols (TCP, UDP, AH, ESP)
[   28.964019] IPVS: Connection hash table configured (size=4096, 
memory=32Kbytes)
[   28.964019] IPVS: ipvs loaded.
[   29.016651] IPVS: [wrr] scheduler registered.
[   30.018284] Loading iSCSI transport class v2.0-869.
[   30.086996] iscsi: registered transport (tcp)
[   30.392917] iscsi: registered transport (iser)
[   34.715139] warning: `ntpd' uses 32-bit capabilities (legacy support in use)
[   45.746869] ip_tables: (C) 2000-2006 Netfilter Core Team
[  352.366693] Bluetooth: Core ver 2.11
[  352.369727] NET: Registered protocol family 31
[  352.369789] Bluetooth: HCI device and connection manager initialized
[  352.369849] Bluetooth: HCI socket layer initialized
[  352.400930] Bluetooth: L2CAP ver 2.9
[  352.400992] Bluetooth: L2CAP socket layer initialized
[  377.416156] general protection fault:  [#1] SMP 
[  377.416298] Modules linked in: l2cap bluetooth xt_multiport iptable_filter 
ip_tables x_tables ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr 
iscsi_tcp libiscsi scsi_transport_iscsi ip_vs_wrr ip_vs ocfs2_dlmfs 
ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs nfsd 
auth_rpcgss exportfs nfs lockd nfs_acl sunrpc ipv6 loop parport_pc parport 
pcspkr snd_pcm snd_timer snd soundcore

Bug#544756: linux-image-2.6.26-2-686: Kernel still vulnerable by dsa-1862

2009-09-02 Thread Florian Weimer 
* Christoph Siess:

 Correct my if I got something wrong, but according to my
 understanding this shouldn't be possible with version
 2.6.26-17lenny2.

Correct.

 Linux version 2.6.26-2-686 (Debian 2.6.26-17lenny1) (da...@debian.org) (gcc 
 version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Sun Jul 26 
 21:25:33 UTC 2009

But it seems you are running 2.6.26-17lenny1.  Have you rebooted the
machine after applying the security update?



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#544756: linux-image-2.6.26-2-686: Kernel still vulnerable by dsa-1862

2009-09-02 Thread Christoph Siess 
On Wed, Sep 02, 2009 at 07:00:49PM +, Florian Weimer wrote:
 * Christoph Siess:
 
 
  Linux version 2.6.26-2-686 (Debian 2.6.26-17lenny1) (da...@debian.org) (gcc 
  version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Sun Jul 26 
  21:25:33 UTC 2009
 
 But it seems you are running 2.6.26-17lenny1.  Have you rebooted the
 machine after applying the security update?

I'm very, sorry - I forgot to run lilo :(.
Sorry for the noise...



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#544756: linux-image-2.6.26-2-686: Kernel still vulnerable by dsa-1862

2009-09-02 Thread Moritz Muehlenhoff 
On Wed, Sep 02, 2009 at 08:45:20PM +0200, Christoph Siess wrote:
 Package: linux-image-2.6.26-2-686
 Version: 2.6.26-17lenny2
 Severity: critical
 Tags: security
 Justification: root security hole
 
 
 Hi,
 
 according to http://www.debian.org/security/2009/dsa-1862 this Version of the 
 2.6.26-2 Kernel should 
 not be vulnerable to CVE-2009-2692.
 Unfortunately I'm still able to break my system:
 c...@server:~$ gcc exploit.c -o exploit
 c...@server:~$ ./exploit
 sh-3.2# id
 uid=0(root) gid=0(root) groups=115(wheel),1000(chs)
 
 I got the exploit from http://www.risesecurity.org/exploits/linux-sendpage.c
 
 Correct my if I got something wrong, but according to my understanding this 
 shouldn't be possible 
 with version 2.6.26-17lenny2.

Not reproducible, neither with the Rise Security exploit, nor with Brad's
exploit. Please send the output of uname -a before running the exploit.
This sounds as if you didn't reboot.

Cheers,
Moritz




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org