Re: Patch fot ptrace is good but ....
>Thus no problem, the patch functions ,-) > >But so now I launch the same exploit but to compile and use before levelling >of the kernel : > >[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling >[EMAIL PROTECTED]:~/ptrace# id >uid=0(root) gid=0(root) groupes=0(root) >[EMAIL PROTECTED]:~/ptrace# > >Would have an idea of why? The exploit makes the binary setuid... -- bisho! _-=] 23/03/2003 [=- _ ^( ) _ ( ( ) ) \ \___,,, ()/ _ >- ( :: ) >==- '. |::| , >==- \\::// [ PAZ SI, GUERRA NO ]
Re: ptrace
On Sun, 23 Mar 2003 at 02:26:44AM +0100, LeVA wrote: > Hello! > > I have patched my kernel (2.4.20) with this patch: > http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt > It compile correctly. > Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c > The km3.c doesn't write the OK! stuff, and it could run forever starting > child processes... > But the 'isec-ptrace-kmod-exploit.c' runs like this: > $ ./isec-ptrace-kmod-exploit > sh-2.05a# > [EMAIL PROTECTED]:/home/misc$ gcc isec-ptrace-kmod-exploit.c [EMAIL PROTECTED]:/home/misc$ ./a.out [-] Unable to attach: Operation not permitted Killed [EMAIL PROTECTED]:/home/misc$ Patch worked for me. gdb still works so the patch didn't disable ptrace either*shrugs*...are you sure you loaded the new kernel and ran lilo? -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #146: Multicasts on broken packets
Re: [despammed] ptrace
Saturday, March 22, 2003, 8:26:44 PM, debian-security@lists.debian.org (debian-security) wrote: LeVA> So it droped me a root shell. Well it is not good I think, after the LeVA> patch... People have been saying that one of the exploits gives itself suid root after working sucessfully, so try deleting the executable and recompiling. --- | Eddie J Schwartz <[EMAIL PROTECTED]> http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] "We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing." - Dax, ST-DS9 | ---
Re: Is this an obsolete tiger file?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Viernes, 21 de Marzo de 2003 03:41, Dale Amon wrote: > chkrootkit finds this file: > > Searching for suspicious files and dirs, it may take a while... > /usr/lib/tiger/bin/.bintype > > which appears to be quite old. Is this just a leftover > from a long ago tiger? It only contains "Linux 2.2.17 2001" > and appears on several systems looking the same. It isn't > in the tiger.list file. May I suggest that you get in touch with the Tiger Debian package maintainer, JFS ( [EMAIL PROTECTED] ) Regards Pope - -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE+fR4i3JlCQ3kFu60RAsTJAKDVcSC5X04nKa2+6ohQmL/ZonXnvQCgh1hd zD0kQ8Io1CLbUDtmGVbKIcs= =18NR -END PGP SIGNATURE-
Patch fot ptrace is good but ....
Hello my kernel is to compile, no error ,-) I to compile the exploit isec-ptrace-kmod-exploit.c I launch it [EMAIL PROTECTED]:~/ptrace$ ./ptrace-after-compiling [-] Unable to attach: Operation not permitted Processus arrêté Thus no problem, the patch functions ,-) But so now I launch the same exploit but to compile and use before levelling of the kernel : [EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling [EMAIL PROTECTED]:~/ptrace# id uid=0(root) gid=0(root) groupes=0(root) [EMAIL PROTECTED]:~/ptrace# Would have an idea of why?
Re: Patch fot ptrace is good but ....
>Thus no problem, the patch functions ,-) > >But so now I launch the same exploit but to compile and use before levelling >of the kernel : > >[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling >[EMAIL PROTECTED]:~/ptrace# id >uid=0(root) gid=0(root) groupes=0(root) >[EMAIL PROTECTED]:~/ptrace# > >Would have an idea of why? The exploit makes the binary setuid... -- bisho! _-=] 23/03/2003 [=- _ ^( ) _ ( ( ) ) \ \___,,, ()/ _ >- ( :: ) >==- '. |::| , >==- \\::// [ PAZ SI, GUERRA NO ] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ptrace
On Sun, 23 Mar 2003 at 02:26:44AM +0100, LeVA wrote: > Hello! > > I have patched my kernel (2.4.20) with this patch: > http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt > It compile correctly. > Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c > The km3.c doesn't write the OK! stuff, and it could run forever starting > child processes... > But the 'isec-ptrace-kmod-exploit.c' runs like this: > $ ./isec-ptrace-kmod-exploit > sh-2.05a# > [EMAIL PROTECTED]:/home/misc$ gcc isec-ptrace-kmod-exploit.c [EMAIL PROTECTED]:/home/misc$ ./a.out [-] Unable to attach: Operation not permitted Killed [EMAIL PROTECTED]:/home/misc$ Patch worked for me. gdb still works so the patch didn't disable ptrace either*shrugs*...are you sure you loaded the new kernel and ran lilo? -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #146: Multicasts on broken packets -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ptrace
Hello! I have patched my kernel (2.4.20) with this patch: http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt It compile correctly. Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c The km3.c doesn't write the OK! stuff, and it could run forever starting child processes... But the 'isec-ptrace-kmod-exploit.c' runs like this: $ ./isec-ptrace-kmod-exploit sh-2.05a# So it droped me a root shell. Well it is not good I think, after the patch... I heard another way to stop this exploit: The /proc/sys/kernel/modprobe contains a path for the modprobe executable. If I change it to /var/tmp for example, the exploit won't work. Now this is true on most of my boxes. I didn't need to patch my kernels, because this workaround helped me. But in one box, this isn't work either. So, to be clear. I have box with 2.4.20 (patched) kernel, and the exploit works fine. What should I do. Sorry for my terrible english, I hope you understand the brief of the message. Daniel smime.p7s Description: S/MIME Cryptographic Signature
Re: [despammed] ptrace
Saturday, March 22, 2003, 8:26:44 PM, [EMAIL PROTECTED] (debian-security) wrote: LeVA> So it droped me a root shell. Well it is not good I think, after the LeVA> patch... People have been saying that one of the exploits gives itself suid root after working sucessfully, so try deleting the executable and recompiling. --- | Eddie J Schwartz <[EMAIL PROTECTED]> http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] "We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing." - Dax, ST-DS9 | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [despammed] Re: PTRACE Fixed?
Saturday, March 22, 2003, 7:04:19 PM, Siegbert Baude (Siegbert) wrote: >> Here you'll find a kernel source tree patched against the PTrace bug: >> ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc >> e-2.4.20_2.4.20-3woody.3_all.deb Siegbert> I always install my kernel-sources by hand, but out of curiosity, could I Siegbert> get this by means of apt? Those are not fixed, I believe. The fixed kernels are in the proposed updates for stable. --- | Eddie J Schwartz <[EMAIL PROTECTED]> http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] "We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing." - Dax, ST-DS9 | ---
Re: Is this an obsolete tiger file?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Viernes, 21 de Marzo de 2003 03:41, Dale Amon wrote: > chkrootkit finds this file: > > Searching for suspicious files and dirs, it may take a while... > /usr/lib/tiger/bin/.bintype > > which appears to be quite old. Is this just a leftover > from a long ago tiger? It only contains "Linux 2.2.17 2001" > and appears on several systems looking the same. It isn't > in the tiger.list file. May I suggest that you get in touch with the Tiger Debian package maintainer, JFS ( [EMAIL PROTECTED] ) Regards Pope - -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE+fR4i3JlCQ3kFu60RAsTJAKDVcSC5X04nKa2+6ohQmL/ZonXnvQCgh1hd zD0kQ8Io1CLbUDtmGVbKIcs= =18NR -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Patch fot ptrace is good but ....
Hello my kernel is to compile, no error ,-) I to compile the exploit isec-ptrace-kmod-exploit.c I launch it [EMAIL PROTECTED]:~/ptrace$ ./ptrace-after-compiling [-] Unable to attach: Operation not permitted Processus arrêté Thus no problem, the patch functions ,-) But so now I launch the same exploit but to compile and use before levelling of the kernel : [EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling [EMAIL PROTECTED]:~/ptrace# id uid=0(root) gid=0(root) groupes=0(root) [EMAIL PROTECTED]:~/ptrace# Would have an idea of why? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
Hi, Here you'll find a kernel source tree patched against the PTrace bug: ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc e-2.4.20_2.4.20-3woody.3_all.deb I always install my kernel-sources by hand, but out of curiosity, could I get this by means of apt? # apt-cache search kernel-source kernel-source-2.2.22 - Linux kernel source for version 2.2.22 kernel-source-2.4.10 - Linux kernel source for version 2.4.10 kernel-source-2.4.14 - Linux kernel source for version 2.4.14 kernel-source-2.4.16 - Linux kernel source for version 2.4.16 kernel-source-2.4.17 - Linux kernel source for version 2.4.17 kernel-source-2.4.17-hppa - Linux kernel source for version 2.4.17 on HPPA kernel-source-2.4.17-ia64 - Linux kernel source for version 2.4.17 on IA-64 kernel-source-2.4.18 - Linux kernel source for version 2.4.18 kernel-source-2.4.18-hppa - Linux kernel source for version 2.4.18 on HPPA freeswan - IPSEC utilities for FreeSWan # Why ist the above mentioned package not listed in apt-cache? If I would apt-get install some-available-debian-kernel-source-package, would this imply any security patches or just the unpatched stock kernel-sources? The output of apt-cache, doesn't indicate this. Ciao Siegbert
Re: PTRACE Fixed?
* Matteo Moro <[EMAIL PROTECTED]> wrote: > "Laurent Tickle" <[EMAIL PROTECTED]> wrote: > > [...] a patch who work on Kernel 2.2.X and 2.4.X ;) > > It's 2.4.20 only... :-P That bug was the reason why 2.2.25 was released.
ptrace
Hello! I have patched my kernel (2.4.20) with this patch: http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt It compile correctly. Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c The km3.c doesn't write the OK! stuff, and it could run forever starting child processes... But the 'isec-ptrace-kmod-exploit.c' runs like this: $ ./isec-ptrace-kmod-exploit sh-2.05a# So it droped me a root shell. Well it is not good I think, after the patch... I heard another way to stop this exploit: The /proc/sys/kernel/modprobe contains a path for the modprobe executable. If I change it to /var/tmp for example, the exploit won't work. Now this is true on most of my boxes. I didn't need to patch my kernels, because this workaround helped me. But in one box, this isn't work either. So, to be clear. I have box with 2.4.20 (patched) kernel, and the exploit works fine. What should I do. Sorry for my terrible english, I hope you understand the brief of the message. Daniel smime.p7s Description: S/MIME Cryptographic Signature
Re: PTRACE Fixed?
Thanks, but I have updated my Kernel to 2.2.25 + patch and the bug don't seem to work. - Original Message - From: "Matteo Moro" <[EMAIL PROTECTED]> To: Sent: Saturday, March 22, 2003 8:11 PM Subject: Re: PTRACE Fixed? > On Sat, 22 Mar 2003 17:49:55 +0100 > "Laurent Tickle" <[EMAIL PROTECTED]> wrote: > > > > [...] patch for the PTrace bug ? > > > Here you'll find a kernel source tree patched against the PTrace bug: > ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-source-2 .4.20_2.4.20-3woody.3_all.deb > > > > > [...] a patch who work on Kernel 2.2.X and 2.4.X ;) > > > It's 2.4.20 only... :-P > > ciao. > TeO:-) > > -- > TeO:-) ... ICQ#91902715 > http://www.matteomoro.net/ > "Il 90% dei problemi di un PC > sta tra la tastiera e la sedia" > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003
Re: [despammed] Re: PTRACE Fixed?
Saturday, March 22, 2003, 7:04:19 PM, Siegbert Baude (Siegbert) wrote: >> Here you'll find a kernel source tree patched against the PTrace bug: >> ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc >> e-2.4.20_2.4.20-3woody.3_all.deb Siegbert> I always install my kernel-sources by hand, but out of curiosity, could I Siegbert> get this by means of apt? Those are not fixed, I believe. The fixed kernels are in the proposed updates for stable. --- | Eddie J Schwartz <[EMAIL PROTECTED]> http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] "We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing." - Dax, ST-DS9 | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables route
---Haim Ashkenazi wrote: > On Sat, 22 Mar 2003 06:24:02 -0300 > Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote: > > > Hi, first of all sorry my poor English I'll try my best. > > > > I have the following scheme in my lab: > > > > INTERNET --- firewall --- local network > > > > I have real ip's for all computers in the lab, so I don't need nat, > > but I don't know how to set this and can't find any documentation > > how to build a firewall for that. So I did a local network > > with private ip's (10.0). > > This was not a problem since we can do all things normally. > > But now, some problems are appearing, we build two web server and one > > file server. And now the main router of the university is routing the > > real ip address of the web services through my firewall and I don't > > know how to set this things, to the web server and the file server can > > be seen on the INTERNET. > > Can some one help? Or point to some good documentation > > By the way, we want the servers to have the real ip's and > > the others private ip's. > > > > Thank you > > > > > > -- > > Eduardo Rocha Costa > > [EMAIL PROTECTED] > Hi > > iptables is not easy to understand. that's where some front-ends come to > your aid. I suggest using shorewall (apt-get install shorewall). it's > decently documented and comes with examples. you should divide your > network to zones (internet, local, dmz, lab, etc...) set them in the > "zones" file and create the policy and rules. also masquerading and nat > are very easy to configure with shorewall. > Thanks for the advice, shorewall is very good... only 4 hours and I make the configuration !! > > Bye > -- > Haim > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eduardo Rocha Costa [EMAIL PROTECTED]
Re: PTRACE Fixed?
Hi, Here you'll find a kernel source tree patched against the PTrace bug: ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc e-2.4.20_2.4.20-3woody.3_all.deb I always install my kernel-sources by hand, but out of curiosity, could I get this by means of apt? # apt-cache search kernel-source kernel-source-2.2.22 - Linux kernel source for version 2.2.22 kernel-source-2.4.10 - Linux kernel source for version 2.4.10 kernel-source-2.4.14 - Linux kernel source for version 2.4.14 kernel-source-2.4.16 - Linux kernel source for version 2.4.16 kernel-source-2.4.17 - Linux kernel source for version 2.4.17 kernel-source-2.4.17-hppa - Linux kernel source for version 2.4.17 on HPPA kernel-source-2.4.17-ia64 - Linux kernel source for version 2.4.17 on IA-64 kernel-source-2.4.18 - Linux kernel source for version 2.4.18 kernel-source-2.4.18-hppa - Linux kernel source for version 2.4.18 on HPPA freeswan - IPSEC utilities for FreeSWan # Why ist the above mentioned package not listed in apt-cache? If I would apt-get install some-available-debian-kernel-source-package, would this imply any security patches or just the unpatched stock kernel-sources? The output of apt-cache, doesn't indicate this. Ciao Siegbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
* Matteo Moro <[EMAIL PROTECTED]> wrote: > "Laurent Tickle" <[EMAIL PROTECTED]> wrote: > > [...] a patch who work on Kernel 2.2.X and 2.4.X ;) > > It's 2.4.20 only... :-P That bug was the reason why 2.2.25 was released. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure topologies - smtp/dns/whois/....
hi ya gazillion different solutions for "secure topologies" that depends on time, and machines available, skillset and what you're protecting against c ya alvin -- you need backups ... :-) -- disallow insecure services even behind the firewall ( telnet, ftp, pop3/imap, dhcp, wireless use ssh, scp, pop3s/imaps, static ip, gw+fw instead -- use different login for different services - email addy should NOT be your ssh login's - vpn login should be different ( you.vpn ) - ppp login should be different ( you.ppp ) - wireless login should be diff ( you.wireless ) -- use multiple firewalls - use a secured/hardened/well designed "firewall" - harden all servers and services as if the firewall did NOT exist - one dmz ... www, mail, dns, ntp server, other external services ( probably natting fw ) - 2nd dmz ... vpn, ssh login server ?? - 3rd dmz ... wireless - 4th dmz ... local lan - 4th dmz ... hr/payroll/acct payable/acct receivable - if you're using only one firewall .. - gt a 386PC and make a 2nd firewalll for internal machines separated from outside www/dns/mail -- too much firewall and gateway ??? donno ... ( depends on cleints paranoia level and what is the consequences ( WHEN a [cr/h]acker gets thru On Sat, 22 Mar 2003, Hanasaki JiJi wrote: > Would you share your opinions on the following setup for daemons? > > firewall runs > whois server - gwhois or jwhois? > > iptables - firewall > > forwards-to/NAT-from internal smtp server > > > NAT outgoing DNS for internal bind9 server > > bind9 - for external dns > > > NAT from internal SQUID server to internet > > ntp - time server for internal > > > > host(s) inside the firewall > smtp server - exim4 > dhcp3-server for internal > bind9 - for internal dns > squid - http proxy > webserver - apache for internal and external > domain.com > internal.domain.com > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
PTRACE kernel-patch
anyone experienced the same ? I got this :( i386_ksyms.c:70: `kernel_thread' undeclared here (not in a function) i386_ksyms.c:70: initializer element is not constant i386_ksyms.c:70: (near initialization for `__ksymtab_kernel_thread.value') make[2]: *** [i386_ksyms.o] Error 1 make[2]: Leaving directory `/usr/src/kernel-source-2.4.20/arch/i386/kernel' make[1]: *** [_dir_arch/i386/kernel] Error 2 make[1]: Leaving directory `/usr/src/kernel-source-2.4.20' make: *** [stamp-build] Error 2
Re: PTRACE Fixed?
Thanks, but I have updated my Kernel to 2.2.25 + patch and the bug don't seem to work. - Original Message - From: "Matteo Moro" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 22, 2003 8:11 PM Subject: Re: PTRACE Fixed? > On Sat, 22 Mar 2003 17:49:55 +0100 > "Laurent Tickle" <[EMAIL PROTECTED]> wrote: > > > > [...] patch for the PTrace bug ? > > > Here you'll find a kernel source tree patched against the PTrace bug: > ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-source-2 .4.20_2.4.20-3woody.3_all.deb > > > > > [...] a patch who work on Kernel 2.2.X and 2.4.X ;) > > > It's 2.4.20 only... :-P > > ciao. > TeO:-) > > -- > TeO:-) ... ICQ#91902715 > http://www.matteomoro.net/ > "Il 90% dei problemi di un PC > sta tra la tastiera e la sedia" > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables route
---Haim Ashkenazi wrote: > On Sat, 22 Mar 2003 06:24:02 -0300 > Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote: > > > Hi, first of all sorry my poor English I'll try my best. > > > > I have the following scheme in my lab: > > > > INTERNET --- firewall --- local network > > > > I have real ip's for all computers in the lab, so I don't need nat, > > but I don't know how to set this and can't find any documentation > > how to build a firewall for that. So I did a local network > > with private ip's (10.0). > > This was not a problem since we can do all things normally. > > But now, some problems are appearing, we build two web server and one > > file server. And now the main router of the university is routing the > > real ip address of the web services through my firewall and I don't > > know how to set this things, to the web server and the file server can > > be seen on the INTERNET. > > Can some one help? Or point to some good documentation > > By the way, we want the servers to have the real ip's and > > the others private ip's. > > > > Thank you > > > > > > -- > > Eduardo Rocha Costa > > [EMAIL PROTECTED] > Hi > > iptables is not easy to understand. that's where some front-ends come to > your aid. I suggest using shorewall (apt-get install shorewall). it's > decently documented and comes with examples. you should divide your > network to zones (internet, local, dmz, lab, etc...) set them in the > "zones" file and create the policy and rules. also masquerading and nat > are very easy to configure with shorewall. > Thanks for the advice, shorewall is very good... only 4 hours and I make the configuration !! > > Bye > -- > Haim > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eduardo Rocha Costa [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure topologies - smtp/dns/whois/....
hi ya gazillion different solutions for "secure topologies" that depends on time, and machines available, skillset and what you're protecting against c ya alvin -- you need backups ... :-) -- disallow insecure services even behind the firewall ( telnet, ftp, pop3/imap, dhcp, wireless use ssh, scp, pop3s/imaps, static ip, gw+fw instead -- use different login for different services - email addy should NOT be your ssh login's - vpn login should be different ( you.vpn ) - ppp login should be different ( you.ppp ) - wireless login should be diff ( you.wireless ) -- use multiple firewalls - use a secured/hardened/well designed "firewall" - harden all servers and services as if the firewall did NOT exist - one dmz ... www, mail, dns, ntp server, other external services ( probably natting fw ) - 2nd dmz ... vpn, ssh login server ?? - 3rd dmz ... wireless - 4th dmz ... local lan - 4th dmz ... hr/payroll/acct payable/acct receivable - if you're using only one firewall .. - gt a 386PC and make a 2nd firewalll for internal machines separated from outside www/dns/mail -- too much firewall and gateway ??? donno ... ( depends on cleints paranoia level and what is the consequences ( WHEN a [cr/h]acker gets thru On Sat, 22 Mar 2003, Hanasaki JiJi wrote: > Would you share your opinions on the following setup for daemons? > > firewall runs > whois server - gwhois or jwhois? > > iptables - firewall > > forwards-to/NAT-from internal smtp server > > > NAT outgoing DNS for internal bind9 server > > bind9 - for external dns > > > NAT from internal SQUID server to internet > > ntp - time server for internal > > > > host(s) inside the firewall > smtp server - exim4 > dhcp3-server for internal > bind9 - for internal dns > squid - http proxy > webserver - apache for internal and external > domain.com > internal.domain.com > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure topologies - smtp/dns/whois/....
On Sat Mar 22, 12:01pm -0600, Hanasaki JiJi wrote: > firewall runs > whois server - gwhois or jwhois? No comment, I don't run any WHOIS servers. > iptables - firewall iptables is fine, if you set it up properly. > bind9 - for external dns > Also fine, if you set it up properly and keep an eye on bugtraq and related for security issues. > NAT from internal SQUID server to internet I shall assume this is firewalled. > ntp - time server for internal > No comment, I do run a bunch of ntp servers, but they're all internal and firewalled (so I haven't done any audits or anything). > host(s) inside the firewall > smtp server - exim4 Fine, if you set it up properly and track security issues (has a decent history). > dhcp3-server for internal See above. > bind9 - for internal dns See above. > squid - http proxy See above. > webserver - apache for internal and external > domain.com > internal.domain.com > Fine, if you set it up properly and track security issues. For those daemons which aren't known to be riddled with holes and issues, you'll only be okay if you set them up properly and monitor for security issues - you can't ever get out of that. pgptVzQWYeypO.pgp Description: PGP signature
Re: PTRACE Fixed?
On Sat, 22 Mar 2003 17:49:55 +0100 "Laurent Tickle" <[EMAIL PROTECTED]> wrote: > > [...] patch for the PTrace bug ? > Here you'll find a kernel source tree patched against the PTrace bug: ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-source-2.4.20_2.4.20-3woody.3_all.deb > > [...] a patch who work on Kernel 2.2.X and 2.4.X ;) > It's 2.4.20 only... :-P ciao. TeO:-) -- TeO:-) ... ICQ#91902715 http://www.matteomoro.net/ "Il 90% dei problemi di un PC sta tra la tastiera e la sedia"
Re: PTRACE Fixed?
On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: > Jon wrote: > > [...] > > >> > >>Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > >> > >>=> Simple mode, executing /usr/bin/id > /dev/tty > >>sizeof(shellcode)=95 > >>=> Child process started.. > >>=> Child process started.. > > [...] > >> > >>Does this mean the patch I downloaded worked? > > > > > > Yes. > > > > - Jon > > Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. > I've tried the k3m, too. > In my environment it first told me that my kernel is attackable. > I ran k3m a 2nd and 3rd time and it has only reported the "Child process > started..." messages and produced child process zombies. The exploit may need to start several child proceesses before one of them obtains root priviledges. If your kernel is vulnerable, you should get an "ok!" message after a few attempts (usually works the second or third time on my 2.4.20-k7 machine). When run without arguments, the exploit just starts a process, checks its priviledges, then kills the processes. I have not noticed any zombie processes after running the exploit - even after running it several times. If you *do* want it to start some processes, there are command-line options to do so. > What is that? Is k3m buggy? Very strange... > Works great on my machine... unfortunately. ;) - Jon
PTRACE kernel-patch
anyone experienced the same ? I got this :( i386_ksyms.c:70: `kernel_thread' undeclared here (not in a function) i386_ksyms.c:70: initializer element is not constant i386_ksyms.c:70: (near initialization for `__ksymtab_kernel_thread.value') make[2]: *** [i386_ksyms.o] Error 1 make[2]: Leaving directory `/usr/src/kernel-source-2.4.20/arch/i386/kernel' make[1]: *** [_dir_arch/i386/kernel] Error 2 make[1]: Leaving directory `/usr/src/kernel-source-2.4.20' make: *** [stamp-build] Error 2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Increased number of scans.
In the past few days I have noticed a jump in scans on my Apache box. Is this just a fluke or is something brewing ? 03/22/2003 08:01:53.224 - Possible Port Scan - Source:212.32.4.26, 43280, WAN - Destination:209.113.151.5, 5121, LAN - TCP scanned port list, 81, 81, 3128, 3128, 4480 03/22/2003 08:01:53.224 - Probable Port Scan - Source:212.32.4.26, 43287, WAN - Destination:209.113.151.5, 7366, LAN - TCP scanned port list, 81, 81, 3128, 3128, 4480, 4480, 6588, 6588, 8000, 8000 - Andrew P. Kaplan www.cshore.com
Re: PTRACE Fixed?
On Sat, Mar 22, 2003 at 05:49:55PM +0100, Laurent Tickle wrote: > Hello, > > Were I can find a patch for the PTrace bug ? > Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;) Well for 2.2.x Alan Cox released 2.2.25 wich includes only the ptrace patch. For 2.4.x several patches circulated on the lkml [1] and I heard about a offical bitkeeper generated patch on kernel.org. Sven [1] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0303.2/0226.html -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
secure topologies - smtp/dns/whois/....
Would you share your opinions on the following setup for daemons? firewall runs whois server - gwhois or jwhois? iptables - firewall forwards-to/NAT-from internal smtp server NAT outgoing DNS for internal bind9 server bind9 - for external dns NAT from internal SQUID server to internet ntp - time server for internal host(s) inside the firewall smtp server - exim4 dhcp3-server for internal bind9 - for internal dns squid - http proxy webserver - apache for internal and external domain.com internal.domain.com
Re: PTRACE Fixed?
http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt The patch is for 2.2.24 or 2.4.20. I tried applying it on 2.4.18 but the patch seems to barf :) On Sat, 22 Mar 2003 at 05:49:55PM +0100, Laurent Tickle wrote: > Hello, > > Were I can find a patch for the PTrace bug ? > Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;) > > thanks > > - Original Message - > From: "Jacek Sobczak" <[EMAIL PROTECTED]> > To: "Debian Security" > Sent: Saturday, March 22, 2003 5:15 PM > Subject: Re: PTRACE Fixed? > > > Dnia sob 22. marzec 2003 10:03, LeVA napisa?: > > Hello! > > > > Is the 2.4.20 kernel vulnerable to this exploit? > > yes > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003 > > > -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #76: Budget cuts
Re: secure topologies - smtp/dns/whois/....
On Sat Mar 22, 12:01pm -0600, Hanasaki JiJi wrote: > firewall runs > whois server - gwhois or jwhois? No comment, I don't run any WHOIS servers. > iptables - firewall iptables is fine, if you set it up properly. > bind9 - for external dns > Also fine, if you set it up properly and keep an eye on bugtraq and related for security issues. > NAT from internal SQUID server to internet I shall assume this is firewalled. > ntp - time server for internal > No comment, I do run a bunch of ntp servers, but they're all internal and firewalled (so I haven't done any audits or anything). > host(s) inside the firewall > smtp server - exim4 Fine, if you set it up properly and track security issues (has a decent history). > dhcp3-server for internal See above. > bind9 - for internal dns See above. > squid - http proxy See above. > webserver - apache for internal and external > domain.com > internal.domain.com > Fine, if you set it up properly and track security issues. For those daemons which aren't known to be riddled with holes and issues, you'll only be okay if you set them up properly and monitor for security issues - you can't ever get out of that. pgp0.pgp Description: PGP signature
Re: PTRACE Fixed?
On Sat, 22 Mar 2003 17:49:55 +0100 "Laurent Tickle" <[EMAIL PROTECTED]> wrote: > > [...] patch for the PTrace bug ? > Here you'll find a kernel source tree patched against the PTrace bug: ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-source-2.4.20_2.4.20-3woody.3_all.deb > > [...] a patch who work on Kernel 2.2.X and 2.4.X ;) > It's 2.4.20 only... :-P ciao. TeO:-) -- TeO:-) ... ICQ#91902715 http://www.matteomoro.net/ "Il 90% dei problemi di un PC sta tra la tastiera e la sedia" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: > Jon wrote: > > [...] > > >> > >>Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > >> > >>=> Simple mode, executing /usr/bin/id > /dev/tty > >>sizeof(shellcode)=95 > >>=> Child process started.. > >>=> Child process started.. > > [...] > >> > >>Does this mean the patch I downloaded worked? > > > > > > Yes. > > > > - Jon > > Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. > I've tried the k3m, too. > In my environment it first told me that my kernel is attackable. > I ran k3m a 2nd and 3rd time and it has only reported the "Child process > started..." messages and produced child process zombies. The exploit may need to start several child proceesses before one of them obtains root priviledges. If your kernel is vulnerable, you should get an "ok!" message after a few attempts (usually works the second or third time on my 2.4.20-k7 machine). When run without arguments, the exploit just starts a process, checks its priviledges, then kills the processes. I have not noticed any zombie processes after running the exploit - even after running it several times. If you *do* want it to start some processes, there are command-line options to do so. > What is that? Is k3m buggy? Very strange... > Works great on my machine... unfortunately. ;) - Jon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
Hello, Were I can find a patch for the PTrace bug ? Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;) thanks - Original Message - From: "Jacek Sobczak" <[EMAIL PROTECTED]> To: "Debian Security" Sent: Saturday, March 22, 2003 5:15 PM Subject: Re: PTRACE Fixed? Dnia sob 22. marzec 2003 10:03, LeVA napisał: > Hello! > > Is the 2.4.20 kernel vulnerable to this exploit? yes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003
Re: PTRACE Fixed?
On Sat, 22 Mar 2003 at 10:03:38AM +0100, LeVA wrote: > Hello! > > Is the 2.4.20 kernel vulnerable to this exploit? Since there is a patch explicitly written for it on kernel.org I would suppose it is...
Re: kernel ptrace bug - exploit
This is more than an exploit. It is marvellous and smartness. Thank god we know the bug now! On Fri, Mar 21, 2003 at 09:18:42AM +0100, Yndy wrote: > Hi all! > > http://isec.pl/cliph/isec-ptrace-kmod-exploit.c > > Yndy > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] pgpWFFCuiIsdU.pgp Description: PGP signature
Re: PTRACE Fixed?
Dnia sob 22. marzec 2003 10:03, LeVA napisał: > Hello! > > Is the 2.4.20 kernel vulnerable to this exploit? yes
Increased number of scans.
In the past few days I have noticed a jump in scans on my Apache box. Is this just a fluke or is something brewing ? 03/22/2003 08:01:53.224 - Possible Port Scan - Source:212.32.4.26, 43280, WAN - Destination:209.113.151.5, 5121, LAN - TCP scanned port list, 81, 81, 3128, 3128, 4480 03/22/2003 08:01:53.224 - Probable Port Scan - Source:212.32.4.26, 43287, WAN - Destination:209.113.151.5, 7366, LAN - TCP scanned port list, 81, 81, 3128, 3128, 4480, 4480, 6588, 6588, 8000, 8000 - Andrew P. Kaplan www.cshore.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Sat, Mar 22, 2003 at 05:49:55PM +0100, Laurent Tickle wrote: > Hello, > > Were I can find a patch for the PTrace bug ? > Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;) Well for 2.2.x Alan Cox released 2.2.25 wich includes only the ptrace patch. For 2.4.x several patches circulated on the lkml [1] and I heard about a offical bitkeeper generated patch on kernel.org. Sven [1] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0303.2/0226.html -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
secure topologies - smtp/dns/whois/....
Would you share your opinions on the following setup for daemons? firewall runs whois server - gwhois or jwhois? iptables - firewall forwards-to/NAT-from internal smtp server NAT outgoing DNS for internal bind9 server bind9 - for external dns NAT from internal SQUID server to internet ntp - time server for internal host(s) inside the firewall smtp server - exim4 dhcp3-server for internal bind9 - for internal dns squid - http proxy webserver - apache for internal and external domain.com internal.domain.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt The patch is for 2.2.24 or 2.4.20. I tried applying it on 2.4.18 but the patch seems to barf :) On Sat, 22 Mar 2003 at 05:49:55PM +0100, Laurent Tickle wrote: > Hello, > > Were I can find a patch for the PTrace bug ? > Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;) > > thanks > > - Original Message - > From: "Jacek Sobczak" <[EMAIL PROTECTED]> > To: "Debian Security" <[EMAIL PROTECTED]> > Sent: Saturday, March 22, 2003 5:15 PM > Subject: Re: PTRACE Fixed? > > > Dnia sob 22. marzec 2003 10:03, LeVA napisa?: > > Hello! > > > > Is the 2.4.20 kernel vulnerable to this exploit? > > yes > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003 > > > -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #76: Budget cuts -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for .pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
hi all I have a similar problem after compiling a new kernel with kernel-source-2.4.20_2.4.20-3woody.3_all.deb The output of ps has change and doesn't output the full-path of a prozess anymore. like this: sid 2.4.20 build with source from kernel.org (ptrace bug unpatch) or any other woody 2.4.17-19 (all build from kernel-source.deb) I looked at : - ps faux | grep apache root 16960 0.0 0.9 141232 4812 ? S14:45 0:00 /usr/sbin/apache www-data 16964 0.0 1.1 142156 5328 ? S14:45 0:00 \_ /usr/sbin/apache woody 2.4.20 build with kernel-source-2.4.20_2.4.20-3woody.3_all.deb: - ps faux | grep apache root 695 0.0 1.3 71420 1784 ?SMar21 0:02 /usr/sbin/apache www-data 27165 0.0 1.5 71480 2016 ?S06:26 0:00 \_ [apache] in my case "mailscanner" from woody is broken since it does a pid=`/bin/ps axww | /bin/grep /usr/sbin/mailscanner but there are very likly others Is this just me doing something wrong? tks and greeting pascal Am Thu, Mar 20, 2003 at 10:43:05AM +1200, Matthew Grant sagte: > Hi There! > > Sorry about making a racket, but I am posting this for the edification > of all, as there is a work around without breaking your server for this > one. > > As you can read below, I have found that the patch on 2.4.x also BREAKS > kill() 2 when executed for signal 0 on a process ID that the user is not > the owner of, except for root of course. > > This has all sorts of interesting effects for processing .pid files, and > probably dot locking. Makes the patch as it stands unacceptable for > 2.4.21, and vendor kernels I would say... (See below for effects on > Debian netsaint...) > > I have been just digging harder, and the vulnerability is only > exploitable if you are using the kernel auto module loader, so compile > your kernel with out auto module loader enabled, or echo some garbage > into /proc/sys/kernel/modprobe after loading all your modules. It has > to be an invalid executable name in there as any executable file will > open the bug to exploit. > > Here are the effects on a netsaint box I look after: > > bucket: -foo- [~] > $ ls -l /var/run/netsaint/netsaint.pid > -rw-r--r--1 root root5 Mar 19 16:32 > /var/run/netsaint/netsaint.pid > > bucket: -foo- [~] > $ cat !$ > cat /var/run/netsaint/netsaint.pid > 4276 > > bucket: -foo- [~] > $ kill -0 4276 > bash: kill: (4276) - Operation not permitted > > and the netsaint Web front end can't find the process alive that it > wants to talk to via a unix pipe so that it can start and stop > notifications etc > > Could I please say this to the kernel developers, please fix it > properly! > > Thanks heaps, > > Matthew Grant > > On Thu, 2003-03-20 at 09:34, Matthew Grant wrote: > Dear All, > > The patch also breaks kill(2) on a process with signal number 0 - This > is used by a lot of monitoring programs running as one user ID to make > sure a process with another user ID is running. > > This causes trouble with packages like nagios and netsaint, as well as > other stuff. > > Alan, don't want to bash you around, but isn't there another fix > possible that doesn't break this function call and UML skas mode? > > Cheers, > > Matthew Grantal > > On Thu, 2003-03-20 at 08:09, Matthew Grant wrote: > Mistyped linux-kernel address %-< > > -Forwarded Message- > > From: Matthew Grant <[EMAIL PROTECTED]> > To: Alan Cox <[EMAIL PROTECTED]> > Cc: Jeff Dike <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: Ptrace hole / Linux 2.2.25 > Date: 20 Mar 2003 07:55:45 +1200 > > Alan, > > This patch really breaks UML using the skas mode of thread tracing > skas3 > patch on quite a significant amount of machines out there. The skas > mode > is a lot more secure than the traditional UML tt mode. I guess this is > related to the below... > > I am running a UML site that a lot of hospitals ad clinics in > Bangldesh > depend on for there email. It allows them to work around the > corruption > and agrandidement of the ISPs over there. The skas3 mode patch is > needed for the site to run securely. Tracing thread mode does not cut > it. > > There are also a large number of other telehoused ISP virtual hosting > machines that use this stuff, and it is actually proving to be quite > reliable. > > I have attached the skas3 patch that Jeff Dike is currently using, and > the patch that you have produced. Could you please look into the > clash > between them, and get it fixed. > > Thank you - there are lots out there who will appreciate
Re: PTRACE Fixed?
Hello, Were I can find a patch for the PTrace bug ? Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;) thanks - Original Message - From: "Jacek Sobczak" <[EMAIL PROTECTED]> To: "Debian Security" <[EMAIL PROTECTED]> Sent: Saturday, March 22, 2003 5:15 PM Subject: Re: PTRACE Fixed? Dnia sob 22. marzec 2003 10:03, LeVA napisał: > Hello! > > Is the 2.4.20 kernel vulnerable to this exploit? yes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Sat, 22 Mar 2003 at 10:03:38AM +0100, LeVA wrote: > Hello! > > Is the 2.4.20 kernel vulnerable to this exploit? Since there is a patch explicitly written for it on kernel.org I would suppose it is... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: kernel ptrace bug - exploit
This is more than an exploit. It is marvellous and smartness. Thank god we know the bug now! On Fri, Mar 21, 2003 at 09:18:42AM +0100, Yndy wrote: > Hi all! > > http://isec.pl/cliph/isec-ptrace-kmod-exploit.c > > Yndy > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: PTRACE Fixed?
Dnia sob 22. marzec 2003 10:03, LeVA napisał: > Hello! > > Is the 2.4.20 kernel vulnerable to this exploit? yes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for .pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
hi all I have a similar problem after compiling a new kernel with kernel-source-2.4.20_2.4.20-3woody.3_all.deb The output of ps has change and doesn't output the full-path of a prozess anymore. like this: sid 2.4.20 build with source from kernel.org (ptrace bug unpatch) or any other woody 2.4.17-19 (all build from kernel-source.deb) I looked at : - ps faux | grep apache root 16960 0.0 0.9 141232 4812 ? S14:45 0:00 /usr/sbin/apache www-data 16964 0.0 1.1 142156 5328 ? S14:45 0:00 \_ /usr/sbin/apache woody 2.4.20 build with kernel-source-2.4.20_2.4.20-3woody.3_all.deb: - ps faux | grep apache root 695 0.0 1.3 71420 1784 ?SMar21 0:02 /usr/sbin/apache www-data 27165 0.0 1.5 71480 2016 ?S06:26 0:00 \_ [apache] in my case "mailscanner" from woody is broken since it does a pid=`/bin/ps axww | /bin/grep /usr/sbin/mailscanner but there are very likly others Is this just me doing something wrong? tks and greeting pascal Am Thu, Mar 20, 2003 at 10:43:05AM +1200, Matthew Grant sagte: > Hi There! > > Sorry about making a racket, but I am posting this for the edification > of all, as there is a work around without breaking your server for this > one. > > As you can read below, I have found that the patch on 2.4.x also BREAKS > kill() 2 when executed for signal 0 on a process ID that the user is not > the owner of, except for root of course. > > This has all sorts of interesting effects for processing .pid files, and > probably dot locking. Makes the patch as it stands unacceptable for > 2.4.21, and vendor kernels I would say... (See below for effects on > Debian netsaint...) > > I have been just digging harder, and the vulnerability is only > exploitable if you are using the kernel auto module loader, so compile > your kernel with out auto module loader enabled, or echo some garbage > into /proc/sys/kernel/modprobe after loading all your modules. It has > to be an invalid executable name in there as any executable file will > open the bug to exploit. > > Here are the effects on a netsaint box I look after: > > bucket: -foo- [~] > $ ls -l /var/run/netsaint/netsaint.pid > -rw-r--r--1 root root5 Mar 19 16:32 > /var/run/netsaint/netsaint.pid > > bucket: -foo- [~] > $ cat !$ > cat /var/run/netsaint/netsaint.pid > 4276 > > bucket: -foo- [~] > $ kill -0 4276 > bash: kill: (4276) - Operation not permitted > > and the netsaint Web front end can't find the process alive that it > wants to talk to via a unix pipe so that it can start and stop > notifications etc > > Could I please say this to the kernel developers, please fix it > properly! > > Thanks heaps, > > Matthew Grant > > On Thu, 2003-03-20 at 09:34, Matthew Grant wrote: > Dear All, > > The patch also breaks kill(2) on a process with signal number 0 - This > is used by a lot of monitoring programs running as one user ID to make > sure a process with another user ID is running. > > This causes trouble with packages like nagios and netsaint, as well as > other stuff. > > Alan, don't want to bash you around, but isn't there another fix > possible that doesn't break this function call and UML skas mode? > > Cheers, > > Matthew Grantal > > On Thu, 2003-03-20 at 08:09, Matthew Grant wrote: > Mistyped linux-kernel address %-< > > -Forwarded Message- > > From: Matthew Grant <[EMAIL PROTECTED]> > To: Alan Cox <[EMAIL PROTECTED]> > Cc: Jeff Dike <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: Ptrace hole / Linux 2.2.25 > Date: 20 Mar 2003 07:55:45 +1200 > > Alan, > > This patch really breaks UML using the skas mode of thread tracing skas3 > patch on quite a significant amount of machines out there. The skas mode > is a lot more secure than the traditional UML tt mode. I guess this is > related to the below... > > I am running a UML site that a lot of hospitals ad clinics in Bangldesh > depend on for there email. It allows them to work around the corruption > and agrandidement of the ISPs over there. The skas3 mode patch is > needed for the site to run securely. Tracing thread mode does not cut > it. > > There are also a large number of other telehoused ISP virtual hosting > machines that use this stuff, and it is actually proving to be quite > reliable. > > I have attached the skas3 patch that Jeff Dike is currently using, and > the patch that you have produced. Could you please look into the clash > between them, and get it fixed. > > Thank you - there are lots out there who will appreciate this. >
Re: PTRACE Fixed?
Jon wrote: [...] Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.. => Child process started.. [...] Does this mean the patch I downloaded worked? Yes. - Jon Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. I've tried the k3m, too. In my environment it first told me that my kernel is attackable. I ran k3m a 2nd and 3rd time and it has only reported the "Child process started..." messages and produced child process zombies. What is that? Is k3m buggy? Very strange...
Re: PTRACE Fixed?
Jon wrote: [...] Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.. => Child process started.. [...] Does this mean the patch I downloaded worked? Yes. - Jon Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. I've tried the k3m, too. In my environment it first told me that my kernel is attackable. I ran k3m a 2nd and 3rd time and it has only reported the "Child process started..." messages and produced child process zombies. What is that? Is k3m buggy? Very strange... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
selinux newbie questions
Hi,
I finally decided to invest some time into SELinux, having run it in
permissive/useless mode for months now. While trying to come up with
the right policy changes to make my system still work I stumbled upon
a few things.
How to handle daemons that drop root? Is it ok to allow their domain
setuid & setgid capabilities? Am I right that this does not give
additional privilege, i.e. after root is dropped, the process can no
longer do setuid even with the capability allowed?
I'd like to make root:sysadm_r:sysadm:t omnipotent. Can this be done
in a few lines? Is it a hole? I find that I'd still have to go to
permissive mode to get things done, which would be an even bigger
hole.
Why do I get:
Mar 22 09:43:23 hoss kernel: avc: denied { transition } for pid=766
exe=/usr/bin/runas path=/etc/init.d/privoxy dev=03:01 ino=10157
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:initrc_t
tclass=process
when I have the following in /etc/selinux/policy.conf:
allow sysadm_t initrc_t:process transition;
Is it because of the id/roles mismatch? How do I fix that?
Isn't the can_network definition too broad, including rawip_* stuff?
Hardly any program should need that, no?
Must I really prefix everything in the file/net context definitions
with "system_u:object_r:" -- can't this be the default?
Is there a macro to handle the dns goo (reading nsswitch, hosts,
resolv.conf, connecting to a dns server, ...)?
TIA & Ta,
--
Robbe
pgp2lnJW7POQ9.pgp
Description: PGP signature
Re: is iptables enough?
Arnt some ICMP packets best to allow for effective routing and such? Josh Carroll wrote: There are a couple of reasons why I use -j DROP instead of -J REJECT. Firstly, sending responses to packets your dropping can be bad, given a relatively small upstream link. In theory, one could DoS you sufficiently with an upstream equal or slightly better than yours. That is not to say that the would-be attacker couldn't just find a network that could surpass your downstream as well, just pointing out this drawback of -j REJECT. Secondly, while DROP'ing the packet doesn't make you invisible, it does have some degree of value when deterring people. If an attacker gets no response from machine 1, but a tcp reject from matchine 2, I'm willing to bet they'd persue machine 2 first. Let's face it, if they want to find out if you're there or running something on a port, they probably can with a bit more effort anyway, but it might just make them pass you by for an easier target. In general, I don't use -REJECT unless I'm worried about being polite. And in most circumstances, politeness isn't my goal ;) Josh --- Vineet Kumar <[EMAIL PROTECTED]> wrote: * Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]: Set it up to block everything and then selectively open ports until everything works as desired. Depending on the applications it may be a good idea to REJECT auth (identd) packets instead of dropping them - some applications have long timeouts. IMO, it's a good idea to REJECT instead of DROPping most packets. If you think DROPping makes you invisible, you're deluding yourself. I generally end my INPUT chain with -p tcp -j REJECT --reject-with tcp-reset -p udp -j REJECT --reject-with icmp-port-unreachable -j REJECT --reject-with icmp-proto-unreachable Of course, different setups have different needs, but I think this is pretty good for most home configurations good times, Vineet -- http://www.doorstop.net/ -- http://www.digitalconsumer.org/ ATTACHMENT part 2 application/pgp-signature name=signature.asc -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: iptables route
On Sat, 22 Mar 2003 06:24:02 -0300 Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote: > Hi, first of all sorry my poor English I'll try my best. > > I have the following scheme in my lab: > > INTERNET --- firewall --- local network > > I have real ip's for all computers in the lab, so I don't need nat, > but I don't know how to set this and can't find any documentation > how to build a firewall for that. So I did a local network > with private ip's (10.0). > This was not a problem since we can do all things normally. > But now, some problems are appearing, we build two web server and one > file server. And now the main router of the university is routing the > real ip address of the web services through my firewall and I don't > know how to set this things, to the web server and the file server can > be seen on the INTERNET. > Can some one help? Or point to some good documentation > By the way, we want the servers to have the real ip's and > the others private ip's. > > Thank you > > > -- > Eduardo Rocha Costa > [EMAIL PROTECTED] Hi iptables is not easy to understand. that's where some front-ends come to your aid. I suggest using shorewall (apt-get install shorewall). it's decently documented and comes with examples. you should divide your network to zones (internet, local, dmz, lab, etc...) set them in the "zones" file and create the policy and rules. also masquerading and nat are very easy to configure with shorewall. Bye -- Haim
iptables route
Hi, first of all sorry my poor English I'll try my best. I have the following scheme in my lab: INTERNET --- firewall --- local network I have real ip's for all computers in the lab, so I don't need nat, but I don't know how to set this and can't find any documentation how to build a firewall for that. So I did a local network with private ip's (10.0). This was not a problem since we can do all things normally. But now, some problems are appearing, we build two web server and one file server. And now the main router of the university is routing the real ip address of the web services through my firewall and I don't know how to set this things, to the web server and the file server can be seen on the INTERNET. Can some one help? Or point to some good documentation By the way, we want the servers to have the real ip's and the others private ip's. Thank you -- Eduardo Rocha Costa [EMAIL PROTECTED]
Re: PTRACE Fixed?
Hello! Is the 2.4.20 kernel vulnerable to this exploit? Phillip Hofmeister wrote: All, I just patched my kernel with the patch available on kernel.org. I downloaded, compiled and ran the km3.c exploit for this bug. How can I tell if the exploit failed or not? When I run the exploit as non-root it keeps starting children over and over again. When I run it as root it does the following: Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.. => Child process started.+ 2131 uid=0(root) gid=0(root) groups=0(root) - 2131 ok! As non-root: Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. Does this mean the patch I downloaded worked? Thanks, smime.p7s Description: S/MIME Cryptographic Signature
selinux newbie questions
Hi,
I finally decided to invest some time into SELinux, having run it in
permissive/useless mode for months now. While trying to come up with
the right policy changes to make my system still work I stumbled upon
a few things.
How to handle daemons that drop root? Is it ok to allow their domain
setuid & setgid capabilities? Am I right that this does not give
additional privilege, i.e. after root is dropped, the process can no
longer do setuid even with the capability allowed?
I'd like to make root:sysadm_r:sysadm:t omnipotent. Can this be done
in a few lines? Is it a hole? I find that I'd still have to go to
permissive mode to get things done, which would be an even bigger
hole.
Why do I get:
Mar 22 09:43:23 hoss kernel: avc: denied { transition } for pid=766
exe=/usr/bin/runas path=/etc/init.d/privoxy dev=03:01 ino=10157
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:initrc_t
tclass=process
when I have the following in /etc/selinux/policy.conf:
allow sysadm_t initrc_t:process transition;
Is it because of the id/roles mismatch? How do I fix that?
Isn't the can_network definition too broad, including rawip_* stuff?
Hardly any program should need that, no?
Must I really prefix everything in the file/net context definitions
with "system_u:object_r:" -- can't this be the default?
Is there a macro to handle the dns goo (reading nsswitch, hosts,
resolv.conf, connecting to a dns server, ...)?
TIA & Ta,
--
Robbe
pgp0.pgp
Description: PGP signature
Re: is iptables enough?
Arnt some ICMP packets best to allow for effective routing and such? Josh Carroll wrote: There are a couple of reasons why I use -j DROP instead of -J REJECT. Firstly, sending responses to packets your dropping can be bad, given a relatively small upstream link. In theory, one could DoS you sufficiently with an upstream equal or slightly better than yours. That is not to say that the would-be attacker couldn't just find a network that could surpass your downstream as well, just pointing out this drawback of -j REJECT. Secondly, while DROP'ing the packet doesn't make you invisible, it does have some degree of value when deterring people. If an attacker gets no response from machine 1, but a tcp reject from matchine 2, I'm willing to bet they'd persue machine 2 first. Let's face it, if they want to find out if you're there or running something on a port, they probably can with a bit more effort anyway, but it might just make them pass you by for an easier target. In general, I don't use -REJECT unless I'm worried about being polite. And in most circumstances, politeness isn't my goal ;) Josh --- Vineet Kumar <[EMAIL PROTECTED]> wrote: * Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]: Set it up to block everything and then selectively open ports until everything works as desired. Depending on the applications it may be a good idea to REJECT auth (identd) packets instead of dropping them - some applications have long timeouts. IMO, it's a good idea to REJECT instead of DROPping most packets. If you think DROPping makes you invisible, you're deluding yourself. I generally end my INPUT chain with -p tcp -j REJECT --reject-with tcp-reset -p udp -j REJECT --reject-with icmp-port-unreachable -j REJECT --reject-with icmp-proto-unreachable Of course, different setups have different needs, but I think this is pretty good for most home configurations good times, Vineet -- http://www.doorstop.net/ -- http://www.digitalconsumer.org/ ATTACHMENT part 2 application/pgp-signature name=signature.asc -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Fri, 2003-03-21 at 17:43, Phillip Hofmeister wrote: > When I run it as root it does the following: > > Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > > => Simple mode, executing /usr/bin/id > /dev/tty > sizeof(shellcode)=95 > => Child process started.. > => Child process started.+ 2131 > uid=0(root) gid=0(root) groups=0(root) > - 2131 ok! > > As non-root: > > Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > > => Simple mode, executing /usr/bin/id > /dev/tty > sizeof(shellcode)=95 > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > > > Does this mean the patch I downloaded worked? Yes. - Jon
Re: iptables route
On Sat, 22 Mar 2003 06:24:02 -0300 Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote: > Hi, first of all sorry my poor English I'll try my best. > > I have the following scheme in my lab: > > INTERNET --- firewall --- local network > > I have real ip's for all computers in the lab, so I don't need nat, > but I don't know how to set this and can't find any documentation > how to build a firewall for that. So I did a local network > with private ip's (10.0). > This was not a problem since we can do all things normally. > But now, some problems are appearing, we build two web server and one > file server. And now the main router of the university is routing the > real ip address of the web services through my firewall and I don't > know how to set this things, to the web server and the file server can > be seen on the INTERNET. > Can some one help? Or point to some good documentation > By the way, we want the servers to have the real ip's and > the others private ip's. > > Thank you > > > -- > Eduardo Rocha Costa > [EMAIL PROTECTED] Hi iptables is not easy to understand. that's where some front-ends come to your aid. I suggest using shorewall (apt-get install shorewall). it's decently documented and comes with examples. you should divide your network to zones (internet, local, dmz, lab, etc...) set them in the "zones" file and create the policy and rules. also masquerading and nat are very easy to configure with shorewall. Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
iptables route
Hi, first of all sorry my poor English I'll try my best. I have the following scheme in my lab: INTERNET --- firewall --- local network I have real ip's for all computers in the lab, so I don't need nat, but I don't know how to set this and can't find any documentation how to build a firewall for that. So I did a local network with private ip's (10.0). This was not a problem since we can do all things normally. But now, some problems are appearing, we build two web server and one file server. And now the main router of the university is routing the real ip address of the web services through my firewall and I don't know how to set this things, to the web server and the file server can be seen on the INTERNET. Can some one help? Or point to some good documentation By the way, we want the servers to have the real ip's and the others private ip's. Thank you -- Eduardo Rocha Costa [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
Hello! Is the 2.4.20 kernel vulnerable to this exploit? Phillip Hofmeister wrote: All, I just patched my kernel with the patch available on kernel.org. I downloaded, compiled and ran the km3.c exploit for this bug. How can I tell if the exploit failed or not? When I run the exploit as non-root it keeps starting children over and over again. When I run it as root it does the following: Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.. => Child process started.+ 2131 uid=0(root) gid=0(root) groups=0(root) - 2131 ok! As non-root: Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. => Child process started.. Does this mean the patch I downloaded worked? Thanks, smime.p7s Description: S/MIME Cryptographic Signature
Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
Nick Boyce wrote: > On Friday 21 Mar 2003 2:01 pm, Martin Schulze wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > - > >- Debian Security Advisory DSA 265-1 > > [EMAIL PROTECTED] http://www.debian.org/security/ > > Martin Schulze March 21st, 2003 > > http://www.debian.org/security/faq > > - > [snip] > > I get a bad signature reported by Kmail on this announcement. Saving > the message out to a text file and verifying manually also fails : Ditch KMail, it is a permanent source of problems when it comes to digital signatures. Also read http://www.debian.org/security/faq#signature Feel free to fetch the message from the list archives on the web and verify that one instead of the local copy. Regards, Joey -- Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier
Re: PTRACE Fixed?
On Fri, 2003-03-21 at 17:43, Phillip Hofmeister wrote: > When I run it as root it does the following: > > Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > > => Simple mode, executing /usr/bin/id > /dev/tty > sizeof(shellcode)=95 > => Child process started.. > => Child process started.+ 2131 > uid=0(root) gid=0(root) groups=0(root) > - 2131 ok! > > As non-root: > > Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > > => Simple mode, executing /usr/bin/id > /dev/tty > sizeof(shellcode)=95 > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > => Child process started.. > > > Does this mean the patch I downloaded worked? Yes. - Jon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
