unsubscribe
unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ptrace
If you compiled and ran the resulting binary before upgrading your kernel, the isec-ptrace-kmod-exploit binary may already be set[ug]id, which is a side effect of running it. Make sure it's not +s and/or g+s, or better yet just remove it and recompile it. --- LeVA <[EMAIL PROTECTED]> wrote: > Hello! > > I have patched my kernel (2.4.20) with this patch: > http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt > It compile correctly. > Now I have downloaded the km3.c and > isec-ptrace-kmod-exploit.c > The km3.c doesn't write the OK! stuff, and it could > run forever starting > child processes... > But the 'isec-ptrace-kmod-exploit.c' runs like this: > $ ./isec-ptrace-kmod-exploit > sh-2.05a# > > So it droped me a root shell. Well it is not good I > think, after the > patch... > > I heard another way to stop this exploit: > > The /proc/sys/kernel/modprobe contains a path for > the modprobe > executable. If I change it to /var/tmp for example, > the exploit won't work. > > Now this is true on most of my boxes. I didn't need > to patch my kernels, > because this workaround helped me. > But in one box, this isn't work either. > So, to be clear. I have box with 2.4.20 (patched) > kernel, and the > exploit works fine. > What should I do. > > Sorry for my terrible english, I hope you understand > the brief of the > message. > > Daniel > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s
Re: Is this an obsolete tiger file?
On Fri, Mar 21, 2003 at 02:41:44AM +, Dale Amon wrote: > chkrootkit finds this file: > > Searching for suspicious files and dirs, it may take a while... > /usr/lib/tiger/bin/.bintype > > which appears to be quite old. Is this just a leftover > from a long ago tiger? It only contains "Linux 2.2.17 2001" > and appears on several systems looking the same. It isn't > in the tiger.list file. This file is created by tiger's buildbins (look in the util/ dir) which is called by /usr/lib/tiger/bin/config which is called by tiger itself. It just gets created once when you build the binaries. However, you should not have built the binaries (since they are already provided compiled). You can remove it, I wonder how it got created, however. Regards Javi pgpffns8z9VuA.pgp Description: PGP signature
Re: iptables route
On Sat, 22 Mar 2003, Eduardo Rocha Costa wrote: > Thanks for the advice, shorewall is very good... only 4 hours and I make > the configuration !! Hi, if you want to improve your firewall and security, just see http://www.netfilter.org -- Mauricio Alejandro Araya Lopez* User #249395 counter.li.org Est.Ingenieria Civil Informatica, * Fono: +56 32 671387 Universidad Tecnica Federico Santa María * Cel : 09 3469128 Viña del Mar, Chile. * http://www.inf.utfs.cl/~maray
Re: ptrace
If you compiled and ran the resulting binary before upgrading your kernel, the isec-ptrace-kmod-exploit binary may already be set[ug]id, which is a side effect of running it. Make sure it's not +s and/or g+s, or better yet just remove it and recompile it. --- LeVA <[EMAIL PROTECTED]> wrote: > Hello! > > I have patched my kernel (2.4.20) with this patch: > http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt > It compile correctly. > Now I have downloaded the km3.c and > isec-ptrace-kmod-exploit.c > The km3.c doesn't write the OK! stuff, and it could > run forever starting > child processes... > But the 'isec-ptrace-kmod-exploit.c' runs like this: > $ ./isec-ptrace-kmod-exploit > sh-2.05a# > > So it droped me a root shell. Well it is not good I > think, after the > patch... > > I heard another way to stop this exploit: > > The /proc/sys/kernel/modprobe contains a path for > the modprobe > executable. If I change it to /var/tmp for example, > the exploit won't work. > > Now this is true on most of my boxes. I didn't need > to patch my kernels, > because this workaround helped me. > But in one box, this isn't work either. > So, to be clear. I have box with 2.4.20 (patched) > kernel, and the > exploit works fine. > What should I do. > > Sorry for my terrible english, I hope you understand > the brief of the > message. > > Daniel > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is this an obsolete tiger file?
On Fri, Mar 21, 2003 at 02:41:44AM +, Dale Amon wrote: > chkrootkit finds this file: > > Searching for suspicious files and dirs, it may take a while... > /usr/lib/tiger/bin/.bintype > > which appears to be quite old. Is this just a leftover > from a long ago tiger? It only contains "Linux 2.2.17 2001" > and appears on several systems looking the same. It isn't > in the tiger.list file. This file is created by tiger's buildbins (look in the util/ dir) which is called by /usr/lib/tiger/bin/config which is called by tiger itself. It just gets created once when you build the binaries. However, you should not have built the binaries (since they are already provided compiled). You can remove it, I wonder how it got created, however. Regards Javi pgp0.pgp Description: PGP signature
Re: [despammed] ptrace
Hello! Thanks, that was the problem. The patch works fine. Ed McMan wrote: Saturday, March 22, 2003, 8:26:44 PM, debian-security@lists.debian.org (debian-security) wrote: LeVA> So it droped me a root shell. Well it is not good I think, after the LeVA> patch... People have been saying that one of the exploits gives itself suid root after working sucessfully, so try deleting the executable and recompiling. --- | Eddie J Schwartz <[EMAIL PROTECTED]> http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] "We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing." - Dax, ST-DS9 | --- smime.p7s Description: S/MIME Cryptographic Signature
Re: iptables route
On Sat, 22 Mar 2003, Eduardo Rocha Costa wrote: > Thanks for the advice, shorewall is very good... only 4 hours and I make > the configuration !! Hi, if you want to improve your firewall and security, just see http://www.netfilter.org -- Mauricio Alejandro Araya Lopez* User #249395 counter.li.org Est.Ingenieria Civil Informatica, * Fono: +56 32 671387 Universidad Tecnica Federico Santa María * Cel : 09 3469128 Viña del Mar, Chile. * http://www.inf.utfs.cl/~maray -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [despammed] ptrace
Hello! Thanks, that was the problem. The patch works fine. Ed McMan wrote: Saturday, March 22, 2003, 8:26:44 PM, [EMAIL PROTECTED] (debian-security) wrote: LeVA> So it droped me a root shell. Well it is not good I think, after the LeVA> patch... People have been saying that one of the exploits gives itself suid root after working sucessfully, so try deleting the executable and recompiling. --- | Eddie J Schwartz <[EMAIL PROTECTED]> http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] "We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing." - Dax, ST-DS9 | --- smime.p7s Description: S/MIME Cryptographic Signature
Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
On Saturday 22 Mar 2003 6:36 am, Martin Schulze wrote: > Nick Boyce wrote : > > > I get a bad signature reported by Kmail on this announcement. > > Saving the message out to a text file and verifying manually also > > fails : > > Ditch KMail, it is a permanent source of problems when it comes to > digital signatures. Jeez .. that's disturbing to hear .. > Also read http://www.debian.org/security/faq#signature OK - thanks for the pointer - I just read that page and am now enlightened :) 1) The following is good to know : "The debian-security-announce list has a filter that only allows messages with a correct signature from one of the security team members to be posted." 2) but this bit is not : "Most likely some piece of mail software on your end ... breaks the signature. Known culprits are fetchmail (with the mimedecode option enabled), formail (from procmail 3.14 only) and evolution." (and Kmail it seems) It seems to me we have a biggish problem with some major mail clients here - we should not just live with this situation. I'm particularly bemused by the way Kmail handles your signatures fine for me, for all other DSA's from you that I've ever received - and also handles other people's signatures without apparent problem - and yet it screwed this one up. An even more disturbing thought is that in contrast to rejecting signatures that are in fact good, Kmail may validate signatures that are in fact bad ... > Feel free to fetch the message from the list archives on the > web and verify that one instead of the local copy. I did that, and, as you suggest, it verifies ok; I selected all text on http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00048.html and saved it to a file using Kate, and manually ran gpg : [EMAIL PROTECTED]:~$ gpg --verify DSA-265-1-3.txt gpg: Signature made Fri 21 Mar 2003 14:01:16 GMT using DSA key ID 801EA932 gpg: Good signature from "Martin Schulze <[EMAIL PROTECTED]>" gpg: aka "Martin Schulze <[EMAIL PROTECTED]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B53F E57B D0C1 F689 FCE2 5623 5B9A A5F8 801E A932 Thanks for calming me down again :-) Cheers Nick Boyce Bristol, UK
Re: PTRACE Fixed?
On Sat, Mar 22, 2003 at 10:58:24AM -0800, Jon wrote: > On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: > > Jon wrote: > > > > [...] > > > > >> > > >>Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > > >> > > >>=> Simple mode, executing /usr/bin/id > /dev/tty > > >>sizeof(shellcode)=95 > > >>=> Child process started.. > > >>=> Child process started.. > > > > [...] > > >> > > >>Does this mean the patch I downloaded worked? > > > > > > > > > Yes. > > > > > > - Jon > > > > Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. > > I've tried the k3m, too. > > In my environment it first told me that my kernel is attackable. > > I ran k3m a 2nd and 3rd time and it has only reported the "Child process > > started..." messages and produced child process zombies. > probably a timeing issue, too. I guess km3 has problems on fast machines. Lars > > The exploit may need to start several child proceesses before one of > them obtains root priviledges. If your kernel is vulnerable, you should > get an "ok!" message after a few attempts (usually works the second or > third time on my 2.4.20-k7 machine). > > When run without arguments, the exploit just starts a process, checks > its priviledges, then kills the processes. I have not noticed any > zombie processes after running the exploit - even after running it > several times. If you *do* want it to start some processes, there are > command-line options to do so. > > > > What is that? Is k3m buggy? Very strange... > > > > Works great on my machine... unfortunately. ;) > > - Jon
Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
On Saturday 22 Mar 2003 6:36 am, Martin Schulze wrote: > Nick Boyce wrote : > > > I get a bad signature reported by Kmail on this announcement. > > Saving the message out to a text file and verifying manually also > > fails : > > Ditch KMail, it is a permanent source of problems when it comes to > digital signatures. Jeez .. that's disturbing to hear .. > Also read http://www.debian.org/security/faq#signature OK - thanks for the pointer - I just read that page and am now enlightened :) 1) The following is good to know : "The debian-security-announce list has a filter that only allows messages with a correct signature from one of the security team members to be posted." 2) but this bit is not : "Most likely some piece of mail software on your end ... breaks the signature. Known culprits are fetchmail (with the mimedecode option enabled), formail (from procmail 3.14 only) and evolution." (and Kmail it seems) It seems to me we have a biggish problem with some major mail clients here - we should not just live with this situation. I'm particularly bemused by the way Kmail handles your signatures fine for me, for all other DSA's from you that I've ever received - and also handles other people's signatures without apparent problem - and yet it screwed this one up. An even more disturbing thought is that in contrast to rejecting signatures that are in fact good, Kmail may validate signatures that are in fact bad ... > Feel free to fetch the message from the list archives on the > web and verify that one instead of the local copy. I did that, and, as you suggest, it verifies ok; I selected all text on http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00048.html and saved it to a file using Kate, and manually ran gpg : [EMAIL PROTECTED]:~$ gpg --verify DSA-265-1-3.txt gpg: Signature made Fri 21 Mar 2003 14:01:16 GMT using DSA key ID 801EA932 gpg: Good signature from "Martin Schulze <[EMAIL PROTECTED]>" gpg: aka "Martin Schulze <[EMAIL PROTECTED]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B53F E57B D0C1 F689 FCE2 5623 5B9A A5F8 801E A932 Thanks for calming me down again :-) Cheers Nick Boyce Bristol, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Sat, Mar 22, 2003 at 10:58:24AM -0800, Jon wrote: > On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: > > Jon wrote: > > > > [...] > > > > >> > > >>Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > > >> > > >>=> Simple mode, executing /usr/bin/id > /dev/tty > > >>sizeof(shellcode)=95 > > >>=> Child process started.. > > >>=> Child process started.. > > > > [...] > > >> > > >>Does this mean the patch I downloaded worked? > > > > > > > > > Yes. > > > > > > - Jon > > > > Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. > > I've tried the k3m, too. > > In my environment it first told me that my kernel is attackable. > > I ran k3m a 2nd and 3rd time and it has only reported the "Child process > > started..." messages and produced child process zombies. > probably a timeing issue, too. I guess km3 has problems on fast machines. Lars > > The exploit may need to start several child proceesses before one of > them obtains root priviledges. If your kernel is vulnerable, you should > get an "ok!" message after a few attempts (usually works the second or > third time on my 2.4.20-k7 machine). > > When run without arguments, the exploit just starts a process, checks > its priviledges, then kills the processes. I have not noticed any > zombie processes after running the exploit - even after running it > several times. If you *do* want it to start some processes, there are > command-line options to do so. > > > > What is that? Is k3m buggy? Very strange... > > > > Works great on my machine... unfortunately. ;) > > - Jon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Patch fot ptrace is good but ....
Le Sunday 23 March 2003 05:01, Guille -bisho- a écrit : > >Thus no problem, the patch functions ,-) > > > >But so now I launch the same exploit but to compile and use before > > levelling of the kernel : > > > >[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling > >[EMAIL PROTECTED]:~/ptrace# id > >uid=0(root) gid=0(root) groupes=0(root) > >[EMAIL PROTECTED]:~/ptrace# > > > >Would have an idea of why? > > The exploit makes the binary setuid... Thank you, I am really stupid, is really necessary that I think of will sleep , -)
Re: secure topologies - smtp/dns/whois/....
On Saturday, 2003-03-22 at 12:01:13 -0600, Hanasaki JiJi wrote: > Would you share your opinions on the following setup for daemons? > firewall runs > whois server - gwhois or jwhois? No services on the firewall. Put that on a machine in the DMZ. > iptables - firewall ... because it would be no firewall without ;-) > forwards-to/NAT-from internal smtp server > -> DMZ > NAT outgoing DNS for internal bind9 server NAT all outgoing connections, I'd say. Unless you have non-RFC1918 addresses on the inside. What a luxury! > bind9 - for external dns > -> DMZ > NAT from internal SQUID server to internet NAT all outgoing connections. > ntp - time server for internal > Client only. Put the NTP server in the DMZ. > host(s) inside the firewall > smtp server - exim4 Put a relay in the DMZ. Receive mail through it, forwarded to the internal mail server. Have the internal mail server relay everything outgoing through this mail server. As for exim, I have never used it. > dhcp3-server for internal This should not matter for the external view or the DMZ. > bind9 - for internal dns Jupp. Have the firewall and the DMZ query this server. Have the server forward-only through the DNS server in the DMZ. > squid - http proxy Better located in the DMZ. > webserver - apache for internal and external > domain.com > internal.domain.com > Put the web server for external in the DMZ if you value your security. You can use it for internal as well, but don't have to. Buy and read "Building Internet Firewalls, 2nd Edition" by Zwicky, Cooper, Chapman (O'Reilly). On general principle, don't allow connections from external to internal. Only external <-> DMZ and DMZ <-> internal. Don't put any services on the firewall. Have the firewall only communicate with the DMZ. If you have no official addresses but the one for the firewall, use port redirection to the DMZ for incoming connections. HTH, Lupe Christoph PS: If you have never used iptables, and you sound like it, give fwbuilder a try. Even if you have, it might be useful because it makes management of the rules easier. -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." |
Re: Patch fot ptrace is good but ....
Le Sunday 23 March 2003 05:01, Guille -bisho- a écrit : > >Thus no problem, the patch functions ,-) > > > >But so now I launch the same exploit but to compile and use before > > levelling of the kernel : > > > >[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling > >[EMAIL PROTECTED]:~/ptrace# id > >uid=0(root) gid=0(root) groupes=0(root) > >[EMAIL PROTECTED]:~/ptrace# > > > >Would have an idea of why? > > The exploit makes the binary setuid... Thank you, I am really stupid, is really necessary that I think of will sleep , -) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure topologies - smtp/dns/whois/....
On Saturday, 2003-03-22 at 12:01:13 -0600, Hanasaki JiJi wrote: > Would you share your opinions on the following setup for daemons? > firewall runs > whois server - gwhois or jwhois? No services on the firewall. Put that on a machine in the DMZ. > iptables - firewall ... because it would be no firewall without ;-) > forwards-to/NAT-from internal smtp server > -> DMZ > NAT outgoing DNS for internal bind9 server NAT all outgoing connections, I'd say. Unless you have non-RFC1918 addresses on the inside. What a luxury! > bind9 - for external dns > -> DMZ > NAT from internal SQUID server to internet NAT all outgoing connections. > ntp - time server for internal > Client only. Put the NTP server in the DMZ. > host(s) inside the firewall > smtp server - exim4 Put a relay in the DMZ. Receive mail through it, forwarded to the internal mail server. Have the internal mail server relay everything outgoing through this mail server. As for exim, I have never used it. > dhcp3-server for internal This should not matter for the external view or the DMZ. > bind9 - for internal dns Jupp. Have the firewall and the DMZ query this server. Have the server forward-only through the DNS server in the DMZ. > squid - http proxy Better located in the DMZ. > webserver - apache for internal and external > domain.com > internal.domain.com > Put the web server for external in the DMZ if you value your security. You can use it for internal as well, but don't have to. Buy and read "Building Internet Firewalls, 2nd Edition" by Zwicky, Cooper, Chapman (O'Reilly). On general principle, don't allow connections from external to internal. Only external <-> DMZ and DMZ <-> internal. Don't put any services on the firewall. Have the firewall only communicate with the DMZ. If you have no official addresses but the one for the firewall, use port redirection to the DMZ for incoming connections. HTH, Lupe Christoph PS: If you have never used iptables, and you sound like it, give fwbuilder a try. Even if you have, it might be useful because it makes management of the rules easier. -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
