Re: howcome there's no DSA for the latest Linux ptrace hole?
A patch I consider to be from an authorative site is available (for 2.4.20) at: http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #150: Loop found in loop in redundant loopback pgpUBB2yCY2Cb.pgp Description: PGP signature
Re: howcome there's no DSA for the latest Linux ptrace hole?
A patch I consider to be from an authorative site is available (for 2.4.20) at: http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #150: Loop found in loop in redundant loopback pgp0.pgp Description: PGP signature
Re: howcome there's no DSA for the latest Linux ptrace hole?
Hello On Fri, Mar 21, 2003 at 08:52:36AM +0100, Alexander Neumann wrote: > That seems to work only for the exploit provided by him, but not for the > isec proof-of-concept exploit. It's a better workaround to use the npt > module from http://www.securiteam.com/tools/5SP082K5GK.html . > This module will restrict the use of ptrace() to root. It's not a fix, > but a workaround! Does it work on your computer? It seems to have no effect here. I did "insmod -f ./npt.o" (-f because I cannot get rid of "kernel_version=2.4.20" although I have "2.4.20-westend1-intel"), verified it with lsmod and then tried the exploit from http://isec.pl/cliph/isec-ptrace-kmod-exploit.c I also verified with a printk line that the pointer old_ptrace is in fact the same address as "sys_ptrace" from /boot/System.map-`uname -r`. A printk at the beginning of "no_ptrace()" seems not to get called. bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879
Re: howcome there's no DSA for the latest Linux ptrace hole?
Hi, Jon wrote: > > On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: > > > Are the Debian kernels vulnerable to this hole? > > > > This post to BugTraq by Andrzej Szombierski (who found the problem) > includes a sample exploit for x86. You can use it to see if you are > vulnerable. > > http://www.securityfocus.com/archive/1/315635 stupid question, but is chmod 700 /proc enough? This exploit doesn't work anymore. Do you have any exploit which works after a chmod 700 /proc? Regards, Ralf Dreibrodt
Re: howcome there's no DSA for the latest Linux ptrace hole?
On Thu, Mar 20, 2003 at 05:29:56PM -0800, Jon wrote: > On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: > > > Are the Debian kernels vulnerable to this hole? > > > > This post to BugTraq by Andrzej Szombierski (who found the problem) > includes a sample exploit for x86. You can use it to see if you are > vulnerable. Isn't it the same bug for which Alan Cox (IIRC) provided a patch recently (which was applied to kernel-source-2.4.20 version 2.4.20-3woody.2)? http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00021.html The exploit linked to from the mentioned post doesn't give me root on a box with this kernel... Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: howcome there's no DSA for the latest Linux ptrace hole?
Hi, Guille -bisho- wrote: > At least the 2.4.19 is vulnerable. > A quick patch is to put a invalid binary on /proc/sys/kernel/modprobe > instead of the real modprobe binary, and then you have time to compile > out your kernel without having to run... :) That seems to work only for the exploit provided by him, but not for the isec proof-of-concept exploit. It's a better workaround to use the npt module from http://www.securiteam.com/tools/5SP082K5GK.html . This module will restrict the use of ptrace() to root. It's not a fix, but a workaround! - Alexander -- "Real men don't take backups. They put their source on a public FTP-server and let the world mirror it." -- Linus Torvalds pgpDePJxPax23.pgp Description: PGP signature
Re: howcome there's no DSA for the latest Linux ptrace hole?
Hello On Fri, Mar 21, 2003 at 08:52:36AM +0100, Alexander Neumann wrote: > That seems to work only for the exploit provided by him, but not for the > isec proof-of-concept exploit. It's a better workaround to use the npt > module from http://www.securiteam.com/tools/5SP082K5GK.html . > This module will restrict the use of ptrace() to root. It's not a fix, > but a workaround! Does it work on your computer? It seems to have no effect here. I did "insmod -f ./npt.o" (-f because I cannot get rid of "kernel_version=2.4.20" although I have "2.4.20-westend1-intel"), verified it with lsmod and then tried the exploit from http://isec.pl/cliph/isec-ptrace-kmod-exploit.c I also verified with a printk line that the pointer old_ptrace is in fact the same address as "sys_ptrace" from /boot/System.map-`uname -r`. A printk at the beginning of "no_ptrace()" seems not to get called. bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: howcome there's no DSA for the latest Linux ptrace hole?
Hi, Jon wrote: > > On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: > > > Are the Debian kernels vulnerable to this hole? > > > > This post to BugTraq by Andrzej Szombierski (who found the problem) > includes a sample exploit for x86. You can use it to see if you are > vulnerable. > > http://www.securityfocus.com/archive/1/315635 stupid question, but is chmod 700 /proc enough? This exploit doesn't work anymore. Do you have any exploit which works after a chmod 700 /proc? Regards, Ralf Dreibrodt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: howcome there's no DSA for the latest Linux ptrace hole?
On Thu, Mar 20, 2003 at 05:29:56PM -0800, Jon wrote: > On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: > > > Are the Debian kernels vulnerable to this hole? > > > > This post to BugTraq by Andrzej Szombierski (who found the problem) > includes a sample exploit for x86. You can use it to see if you are > vulnerable. Isn't it the same bug for which Alan Cox (IIRC) provided a patch recently (which was applied to kernel-source-2.4.20 version 2.4.20-3woody.2)? http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00021.html The exploit linked to from the mentioned post doesn't give me root on a box with this kernel... Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: howcome there's no DSA for the latest Linux ptrace hole?
Hi, Guille -bisho- wrote: > At least the 2.4.19 is vulnerable. > A quick patch is to put a invalid binary on /proc/sys/kernel/modprobe > instead of the real modprobe binary, and then you have time to compile > out your kernel without having to run... :) That seems to work only for the exploit provided by him, but not for the isec proof-of-concept exploit. It's a better workaround to use the npt module from http://www.securiteam.com/tools/5SP082K5GK.html . This module will restrict the use of ptrace() to root. It's not a fix, but a workaround! - Alexander -- "Real men don't take backups. They put their source on a public FTP-server and let the world mirror it." -- Linus Torvalds pgp0.pgp Description: PGP signature
Re: howcome there's no DSA for the latest Linux ptrace hole?
>Howcome I don't see a Debian security advisory about the recently-found >ptrace hole in Linux? > >Is it not really a hole? Or something? > >I think there should be an announcement even if the Debian kernels are >not vulnerable, to explain that they're not. > >Are the Debian kernels vulnerable to this hole? At least the 2.4.19 is vulnerable. A quick patch is to put a invalid binary on /proc/sys/kernel/modprobe instead of the real modprobe binary, and then you have time to compile out your kernel without having to run... :) -- bisho! _-=] 21/03/2003 [=- _ ^( ) _ ( ( ) ) \ \___,,, ()/ _ >- ( :: ) >==- '. |::| , >==- \\::// [ PACE, NOT WAR ]
Re: howcome there's no DSA for the latest Linux ptrace hole?
On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: > Are the Debian kernels vulnerable to this hole? > This post to BugTraq by Andrzej Szombierski (who found the problem) includes a sample exploit for x86. You can use it to see if you are vulnerable. http://www.securityfocus.com/archive/1/315635 - Jon
Re: howcome there's no DSA for the latest Linux ptrace hole?
>Howcome I don't see a Debian security advisory about the recently-found >ptrace hole in Linux? > >Is it not really a hole? Or something? > >I think there should be an announcement even if the Debian kernels are >not vulnerable, to explain that they're not. > >Are the Debian kernels vulnerable to this hole? At least the 2.4.19 is vulnerable. A quick patch is to put a invalid binary on /proc/sys/kernel/modprobe instead of the real modprobe binary, and then you have time to compile out your kernel without having to run... :) -- bisho! _-=] 21/03/2003 [=- _ ^( ) _ ( ( ) ) \ \___,,, ()/ _ >- ( :: ) >==- '. |::| , >==- \\::// [ PACE, NOT WAR ] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: howcome there's no DSA for the latest Linux ptrace hole?
On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: > Are the Debian kernels vulnerable to this hole? > This post to BugTraq by Andrzej Szombierski (who found the problem) includes a sample exploit for x86. You can use it to see if you are vulnerable. http://www.securityfocus.com/archive/1/315635 - Jon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]