Re: check this.
On Mon, Dec 01, 2003 at 05:10:10PM +0200, Vyacheslav Mukha wrote: > This exploit work on my Debian woody 3.r1 and get root . > May be that script is instrument . Congratulations on not subscribing to debian-security-announce. -- - mdz
Re: check this.
On Mon, 01 Dec 2003, Rafa Forcada wrote: > El lun, 01-12-2003 a las 16:42, Peter Palfrader escribió: > > On Mon, 01 Dec 2003, Vyacheslav Mukha wrote: > > > > > This exploit work on my Debian woody 3.r1 and get root . > > > May be that script is instrument . > > > > Which kernel do you have installed? > > It worked on my debian woody 3.r1 too. > > [EMAIL PROTECTED]:~/temp$ uname -r > 2.4.20 > [EMAIL PROTECTED]:~/temp$ ./kptrace > sh-2.05a# whoami > root You are running a kernel that has known security issues. You should install a kernel that has fixed those problems. Please see the following URL for this (I think) specific problem: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127 Debian woody has fixed kernels which fixed this privilige escalation: kernel-image-2.4.18-1-. apt-cache search kernel-image should give you a list of available kernel images (note that the -1 after 18 is important). "2.4.20" suggests you built your own kernel however. Upgrading to 2.4.23 could be a good idea. HTH Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ signature.asc Description: Digital signature
Re: check this.
Le lundi 01 décembre 2003 à 17h18 (+0100), Rafa Forcada écrivait : > > > This exploit work on my Debian woody 3.r1 and get root . > > > May be that script is instrument . I think not: the security team is well aware of this old ptrace bug. > It worked on my debian woody 3.r1 too. > [EMAIL PROTECTED]:~/temp$ uname -r > 2.4.20 There isn't any 2.4.20 kernel in Woody as far as I know...!?! > [EMAIL PROTECTED]:~/temp$ ./kptrace > sh-2.05a# whoami This bug has been circumvent in the 2.4.18-1 kernel images: kernel-image-2.4.18-1-i386 (2.4.18-9) stable-security; urgency=high * Rebuilt against kernel-source 2.4.18-10. . Fixed ptrace/proc bug in fs/proc/base.c (CAN-2003-0501). (from /usr/share/doc/kernel-image-2.4.18-1-586tsc/changelog.gz) Regards, -- J.C. "プログフ" ANDRÉ <[EMAIL PROTECTED]> http://www.vn.refer.org/ Coordonnateur technique régional / Associé technologie projet Reflets (CODA) Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 ⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ⎫ ⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭
Re: check this.
On Mon, 01 Dec 2003, Vyacheslav Mukha wrote: > >Which kernel do you have installed? > > > >uname -r > uname -r > 2.4.18-bf2.4 You are running a kernel that has known security issues. You should install a kernel that has fixed those problems. Please see the following URL for this (I think) specific problem: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127 Debian woody has fixed kernels which fixed this privilige escalation: kernel-image-2.4.18-1-. apt-cache search kernel-image should give you a list of available kernel images (note that the -1 after 18 is important). Install the one that suites your system. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ signature.asc Description: Digital signature
RE: check this.
It kind of works. This is a 3.0r2 machine... [EMAIL PROTECTED]:~$ uname -r 2.4.21 [EMAIL PROTECTED]:~$ make kptrace cc kptrace.c -o kptrace [EMAIL PROTECTED]:~$ ./kptrace [-] Unable to attach: Operation not permitted Killed [EMAIL PROTECTED]:~$ This is a fairly recent testing/unstable machine debdesk:~/rootkit$ uname -r 2.4.18 debdesk:~/rootkit$ make kptrace cc kptrace.c -o kptrace debdesk:~/rootkit$ ./kptrace [+] Attached to 23033 [+] Signal caught [+] Shellcode placed at 0x4001144d [+] Now wait for suid shell... sh-2.05b# whoami root sh-2.05b# | -Original Message- | From: Vyacheslav Mukha [mailto:[EMAIL PROTECTED] | Sent: Monday, December 01, 2003 9:10 AM | To: debian-project@lists.debian.org | Subject: check this. | | | This exploit work on my Debian woody 3.r1 and get root . | May be that script is instrument . | | Thanks, | | -- | ADIC Ukraine | Slawa Mukha | Software tester | phone: 380.044.568.50.89 | email: [EMAIL PROTECTED] | | |
Re: check this.
El lun, 01-12-2003 a las 16:42, Peter Palfrader escribió: > On Mon, 01 Dec 2003, Vyacheslav Mukha wrote: > > > This exploit work on my Debian woody 3.r1 and get root . > > May be that script is instrument . > > Which kernel do you have installed? > > uname -r > > Peter > -- > PGP signed and encrypted | .''`. ** Debian GNU/Linux ** > messages preferred.| : :' : The universal >| `. `' Operating System > http://www.palfrader.org/ | `-http://www.debian.org/ It worked on my debian woody 3.r1 too. [EMAIL PROTECTED]:~/temp$ uname -r 2.4.20 [EMAIL PROTECTED]:~/temp$ ./kptrace sh-2.05a# whoami root -- __ _ __ __ _ / _| __ _ | '__/ _` | |_ / _` | | | | (_| | _| (_| | |_| __ _|_| __ _| Rafa Forcada Martínez mailto:[EMAIL PROTECTED] JOvenes INformáticos
Re: check this.
On Mon, 01 Dec 2003, Vyacheslav Mukha wrote: > This exploit work on my Debian woody 3.r1 and get root . > May be that script is instrument . Which kernel do you have installed? uname -r Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ signature.asc Description: Digital signature
