Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: of proportion... Some things in security _have_ to be obscure. Your password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. This is true. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. Thats not true. Or rather if it is, then using the key is considerably harder than simply opening the door (which would be equivalent of having module support using your metaphor). But disabling module support isn't obscuring anything, its genuinely changing the system. The attacker is in fact going to have to do something different and more difficult to modify the kernel. You seem to be saying that if there is one way of achieving a security breach, then you shouldn't bother stopping other ways of achieving the same result. This is clearly ridiculas. Yours, Tim -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]||Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204 Sir, I think you have a problem with your brain being missing. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: of proportion... Some things in security _have_ to be obscure. Your password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. In this context, I'd suggest that the difference is that things that need to be obscured _might_ be security risks, or are high-effort risks (your password-protected GPG secret key) and things that need to be kept secret are the low-effort risks, or things that are known to open up the security (your GPG secret key passphrase) All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. No, the key's the same. It's the lock that's been moved. Or rather, removed... Now the key must be inserted into the keyhole in such a way as to drop the tumblers. Sure, someone experienced enough could do it easily, but the guy who just wanders past and decides to look under your mat will get discouraged Not that I'm suggesting that the earlier poster's security setup (you have to _be_ root to make this work anyway) is a doormat level of security... But the metaphor needed stretching. :-) Security-by-obscurity refers to securing things by relying on the obscurity of the _processes and functionality_ behind the security system, that fits this description. No it doesn't. In this case, that would be hiding the Linux source code so that there was no reference to _find out_ how to load a module without modutils. Besides, security through obscurity isn't all it's cracked down to be... Ask distributed.net how well their keyblock uploading code works, security wise... -- --- Paul TBBle Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgp0.pgp Description: PGP signature
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote: One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? No, that's stretching the definition of security-by-obscurity all out of proportion... Some things in security _have_ to be obscure. Your password, for example. Or the primes used to generate your PGP private key. Security-by-obscurity refers to securing things by relying on the obscurity of the _processes and functionality_ behind the security system, instead of the _data_ used to secure it. It's a bad idea because _processes and functionality_ is a much smaller search domain than _data_. -- --- Paul TBBle Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgpRnP4OTL1b9.pgp Description: PGP signature
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
of proportion... Some things in security _have_ to be obscure. Your password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. Security-by-obscurity refers to securing things by relying on the obscurity of the _processes and functionality_ behind the security system, that fits this description. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: of proportion... Some things in security _have_ to be obscure. Your password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. This is true. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. Thats not true. Or rather if it is, then using the key is considerably harder than simply opening the door (which would be equivalent of having module support using your metaphor). But disabling module support isn't obscuring anything, its genuinely changing the system. The attacker is in fact going to have to do something different and more difficult to modify the kernel. You seem to be saying that if there is one way of achieving a security breach, then you shouldn't bother stopping other ways of achieving the same result. This is clearly ridiculas. Yours, Tim -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]||Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204 Sir, I think you have a problem with your brain being missing.
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: of proportion... Some things in security _have_ to be obscure. Your password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. In this context, I'd suggest that the difference is that things that need to be obscured _might_ be security risks, or are high-effort risks (your password-protected GPG secret key) and things that need to be kept secret are the low-effort risks, or things that are known to open up the security (your GPG secret key passphrase) All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. No, the key's the same. It's the lock that's been moved. Or rather, removed... Now the key must be inserted into the keyhole in such a way as to drop the tumblers. Sure, someone experienced enough could do it easily, but the guy who just wanders past and decides to look under your mat will get discouraged Not that I'm suggesting that the earlier poster's security setup (you have to _be_ root to make this work anyway) is a doormat level of security... But the metaphor needed stretching. :-) Security-by-obscurity refers to securing things by relying on the obscurity of the _processes and functionality_ behind the security system, that fits this description. No it doesn't. In this case, that would be hiding the Linux source code so that there was no reference to _find out_ how to load a module without modutils. Besides, security through obscurity isn't all it's cracked down to be... Ask distributed.net how well their keyblock uploading code works, security wise... -- --- Paul TBBle Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgpVqVnG2TPyz.pgp Description: PGP signature
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Maurizio Lemmo - Tannoiser wrote: On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: Does someone know where is debian about this issue ? http://lwn.net/Articles/25669/ i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported that patch, for work with kernel 2.4.18 (from debian). works for me. patch with: cd /path/to/source patch -p1 /path/to/patch you may find it here: http://erlug.linux.it/~tann/pkg/linux-2.4.18-ptrace-tann.patch (there also a kernel image bf2.4 with patch incorporated, if you trust me.. :) ) thanks, but isn't there a trick to surpass the bug while waiting for debian updates ? or won't be there a 2.4.18 update ? :) @+ -- DouRiX [Advertising copy. Where sentences are replaced by participle phrases. Noun phrases. And dangling conjunctions. Bleah. -- Kbob] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
but isn't there a trick to surpass the bug while waiting for debian updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? It seems to work fine, and to block the exploit on my box. But i don't know the effect on the system, since i guess this file has a good reason to be present on a debian box ... So is it a good idea to modify it this way ? Thanx. -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Quoting Marc Demlenne ([EMAIL PROTECTED]): echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? You can't dynamically load and unload modules anymore. If you load all the modules you need before doing it, you're fine. It seems to work fine, and to block the exploit on my box. But i don't know the effect on the system, since i guess this file has a good reason to be present on a debian box ... So is it a good idea to modify it this way ? Untill you installed a patched kernel, yes, if you don't need to dynamically (un)loaded modules. - rk -- http://www.stop1984.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:06:12PM +0200, Marc Demlenne wrote: but isn't there a trick to surpass the bug while waiting for debian updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c You have to patch the kernel or load and compile the following module: http://www.securiteam.com/tools/5SP082K5GK.html (no-ptrace-module.c) bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On martedì 01 aprile 2003, alle 14:20, DouRiX wrote: but isn't there a trick to surpass the bug while waiting for debian updates ? Actually, yes. But i'm not really sure if it's a good workaorund. Anyway: if you disable automatic loading module (a kernel feature), you may ignore this vulnerability. You may do this with: echo whatever /proc/sys/kernel/modprobe So, whenever some automatism invoke this, produce an error. Unfortunately, you may not discriminate what process can do this safetely and wich not. In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. So, its prefereable, to get the patch and recompile the kernel, or take the 2.4.20-patched kernel in proposed update. my 0.2 cents. or won't be there a 2.4.18 update ? :) I never seen a kernel update, you may install different copy of them. I suppose that will not be upgraded for this reason, and when will be available the 2.4.20 (when it will be well tested) simply you could install it. meanwhile... (this is why i backported the patch. i like stable thinks. 2.4.18 run great for me. i'm not hurry for the new-verynew-release). forgive my english. -- Buffy: Is this a get-in-my-pants thing? You guys in Sunnydale talk like I'm the second coming. --Buffy the Vampire Slayer: The Wish -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: Marc Demlenne [EMAIL PROTECTED] Cc: DouRiX [EMAIL PROTECTED]; Lutz Kittler [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 2:04 PM Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c I'd have to disagree with you there. I've done this to one Debian box (3.0 running 2.2.20) and it does stop the above exploit: $ echo /this/doesnt/exist /proc/sys/kernel/modprobe $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit $ ./isec-ptrace-kmod-exploit $ [+] Attached to 18765 (gets stuck here - have to use Ctrl+C) $ You have to patch the kernel or load and compile the following module: http://www.securiteam.com/tools/5SP082K5GK.html (no-ptrace-module.c) The above is probably the better solution. But you can't beat patching the kernel, if it'll work - When are Debian going to release a DSA on this? :) I'm running 2.2.19 from when I upgraded from 2.2r2 and can't apt-get the kernel-source-2.2.19 and same for 2.2.20. Most annoying. I don't want to upgrade to 2.4.x yet. If I could get the source for 2.2.19 or 2.2.20 from Debian then I could copy the configuration file from /boot as .config and then just apply the kernel patch and make oldconfig without having to re-do the config again. Downloading the source from kernel.org and trying to use the config in /boot has 'new features' and things. (I'm not too confident at compiling the kernel and the default Debian one is fine!). Regards, David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:40:44PM +0100, David Ramsden wrote: echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c I'd have to disagree with you there. I've done this to one Debian box (3.0 running 2.2.20) and it does stop the above exploit: $ echo /this/doesnt/exist /proc/sys/kernel/modprobe $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit $ ./isec-ptrace-kmod-exploit $ [+] Attached to 18765 (gets stuck here - have to use Ctrl+C) $ Can it be that you had loaded no-ptrace-module.o or someone patched your kernel? See: $ uname -r 2.4.19 $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit In file included from /usr/include/asm/user.h:5, from /usr/include/linux/user.h:1, from isec-ptrace-kmod-exploit.c:37: /usr/include/linux/ptrace.h:22: warning: `PTRACE_SYSCALL' redefined /usr/include/sys/ptrace.h:103: warning: this is the location of the previous definition (it's a very old machine, workes fine on others) $ id uid=1001(ch) gid=1005(ch) groups=1005(ch) $ ls -al isec-ptrace-kmod-exploit* -rwxr-xr-x1 ch ch 8964 Apr 1 17:46 isec-ptrace-kmod-exploit -rw-r--r--1 ch ch 3737 Apr 1 17:45 isec-ptrace-kmod-exploit.c $ ./isec-ptrace-kmod-exploit [+] Attached to 4660 [+] Waiting for signal [+] Signal caught [+] Shellcode placed at 0x4000ecb4 [+] Now wait for suid shell... sh-2.03# exit exit Q.E.D. :-) bye, -christian- -- That's one small step for man, one giant leap for mankind - first words of a human on the moon, Neil Armstrong 1969 Let's get this motherfucker out of here! - last words of a human on the moon, Eugene Cernan 1972 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: David Ramsden [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] Can it be that you had loaded no-ptrace-module.o or someone patched your kernel? See: [snip] It's the 2.2.20 kernel from Debian (did an apt-get install of the .deb kernel-image package). I then did: echo '/this/doesnt/exist' /proc/sys/kernel/modprobe And tried what you did Christian. See below: $ uname -r 2.2.20 $ gcc ptrace-kmod.c -o ptrace-kmod $ ls -al ptrace-kmod* -rwxr-xr-x1 scarlet scarlet 9028 Apr 1 17:40 ptrace-kmod -rw-r--r--1 scarlet scarlet 3736 Apr 1 17:37 ptrace-kmod.c $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ ./ptrace-kmod [-] Unable to attach: Operation not permitted Killed $ ./ptrace-kmod $ ./ptrace-kmod [+] Attached to 25763 $ ./ptrace-kmod [+] Attached to 25770 $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ cat /proc/sys/kernel/modprobe /this/doesnt/exist $ I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't been patched. I can echo '/sbin/modprobe' /proc/sys/kernel/modprobe and try the above and I'll get a root prompt first time. Maybe it doesn't work for the 2.4.x kernel series? Can anyone else try this maybe and report back :-) Cheers. David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. Why? Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Marcin Owsiany ([EMAIL PROTECTED]) wrote: On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. Why? One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 05:46:46PM +0100, David Ramsden wrote: I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't been patched. I can echo '/sbin/modprobe' /proc/sys/kernel/modprobe and try the above and I'll get a root prompt first time. Ok, I have to admit, that I'm unable to reproduce it now. Maybe it made an error the first time (I took the screen output and URLs in the last mail from an old email from me that I archived). But it's still the preferable solution as it does not break module autoloading :-) bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Hi, David Barroso wrote: * Marcin Owsiany ([EMAIL PROTECTED]) wrote: On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. Why? One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. i have an old kernel with modules and didn't updated it, because of the ptrace bug. this is the reason why: www1:~# grep CAP_SYS_MODULE /etc/lids/lids.cap -16:CAP_SYS_MODULE www1:~# grep CAP_SYS_PTRACE /etc/lids/lids.cap -19:CAP_SYS_PTRACE For fun i tried the exploit, it didn't worked, it needs access to /proc. I gave that user access to /proc and tried it again. The user got logged out, i got an email. Regards, Ralf Dreibrodt -- MesosTelefon 49 221 4855798-1 Eupener Str. 150 Fax 49 221 4855798-9 50933 Koeln Mail[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, 01 Apr 2003 at 07:49:29PM +0200, David Barroso wrote: One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. Ahh, yea. Assuming an intruder made his way in with root privs couldn't he also modify /dev/kmem or directly access the kernel memory by some other means? I beleive this topic has also been discussed in the past (dig deep into the archives) and it was concluded that not allowing modules to be loaded does not really protect you from your kernel being modified at run-time. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #35: Secretary plugged hairdryer into UPS pgp0.pgp Description: PGP signature
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Dariush Pietrzak ([EMAIL PROTECTED]) wrote: One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) True, but not in a so-automated way and definetively more advanced skills would be needed. It's not security-by-obscurity at all, it's only one layer of basic protection. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, 01 Apr 2003 13:57:10 EST, Phillip Hofmeister writes: Assuming an intruder made his way in with root privs couldn't he also modify /dev/kmem or directly access the kernel memory by some other means? I beleive this topic has also been discussed in the past (dig deep into the archives) and it was concluded that not allowing modules to be loaded does not really protect you from your kernel being modified at run-time. Not allowing modules to be loaded doesn't protect you in much the same way as a solid oak door with a 1 deadbolt doesn't make your house secure. Security isn't an absolute all-or-nothing thing. More difficult to exploit == more secure. Less difficult to exploit == less secure. Good security design is about making it more secure. You don't try to make it completely secure, because that's impossible(*). You just make it more and more secure, until it is secure enough for the expected threats. Somebody with a chainsaw, welding torch, and/or lots of explosives can break into my house, even with my solid oak door. I don't use this as an excuse to not bother locking my door. --- Wade *Some people think that a computer with no network or power at the bottom of a well that's been filled with concrete is secure. I don't think so, I think that it's just going to take a little digging before a cracker can break into it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 01:57:10PM -0500, Phillip Hofmeister wrote: Assuming an intruder made his way in with root privs couldn't he also modify /dev/kmem or directly access the kernel memory by some other means? I beleive this topic has also been discussed in the past (dig deep into the archives) and it was concluded that not allowing modules to be loaded does not really protect you from your kernel being modified at run-time. You have to use grsec to close the others up. A grey hat friend of mine noted that a rootkit module was his favorite hack when he was in that line of work. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote: One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? No, that's stretching the definition of security-by-obscurity all out of proportion... Some things in security _have_ to be obscure. Your password, for example. Or the primes used to generate your PGP private key. Security-by-obscurity refers to securing things by relying on the obscurity of the _processes and functionality_ behind the security system, instead of the _data_ used to secure it. It's a bad idea because _processes and functionality_ is a much smaller search domain than _data_. -- --- Paul TBBle Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgp0.pgp Description: PGP signature
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
but isn't there a trick to surpass the bug while waiting for debian updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? It seems to work fine, and to block the exploit on my box. But i don't know the effect on the system, since i guess this file has a good reason to be present on a debian box ... So is it a good idea to modify it this way ? Thanx. -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
but isn't there a trick to surpass the bug while waiting for debian updates ? or won't be there a 2.4.18 update ? :) You can disable autoloading for kernel modules: echo x /proc/sys/kernel/modprobe . lutz
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Quoting Marc Demlenne ([EMAIL PROTECTED]): echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? You can't dynamically load and unload modules anymore. If you load all the modules you need before doing it, you're fine. It seems to work fine, and to block the exploit on my box. But i don't know the effect on the system, since i guess this file has a good reason to be present on a debian box ... So is it a good idea to modify it this way ? Untill you installed a patched kernel, yes, if you don't need to dynamically (un)loaded modules. - rk -- http://www.stop1984.com/
Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:06:12PM +0200, Marc Demlenne wrote: but isn't there a trick to surpass the bug while waiting for debian updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c You have to patch the kernel or load and compile the following module: http://www.securiteam.com/tools/5SP082K5GK.html (no-ptrace-module.c) bye, -christian-
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On martedì 01 aprile 2003, alle 14:20, DouRiX wrote: but isn't there a trick to surpass the bug while waiting for debian updates ? Actually, yes. But i'm not really sure if it's a good workaorund. Anyway: if you disable automatic loading module (a kernel feature), you may ignore this vulnerability. You may do this with: echo whatever /proc/sys/kernel/modprobe So, whenever some automatism invoke this, produce an error. Unfortunately, you may not discriminate what process can do this safetely and wich not. In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. So, its prefereable, to get the patch and recompile the kernel, or take the 2.4.20-patched kernel in proposed update. my 0.2 cents. or won't be there a 2.4.18 update ? :) I never seen a kernel update, you may install different copy of them. I suppose that will not be upgraded for this reason, and when will be available the 2.4.20 (when it will be well tested) simply you could install it. meanwhile... (this is why i backported the patch. i like stable thinks. 2.4.18 run great for me. i'm not hurry for the new-verynew-release). forgive my english. -- Buffy: Is this a get-in-my-pants thing? You guys in Sunnydale talk like I'm the second coming. --Buffy the Vampire Slayer: The Wish
Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: Marc Demlenne [EMAIL PROTECTED] Cc: DouRiX [EMAIL PROTECTED]; Lutz Kittler [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Tuesday, April 01, 2003 2:04 PM Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c I'd have to disagree with you there. I've done this to one Debian box (3.0 running 2.2.20) and it does stop the above exploit: $ echo /this/doesnt/exist /proc/sys/kernel/modprobe $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit $ ./isec-ptrace-kmod-exploit $ [+] Attached to 18765 (gets stuck here - have to use Ctrl+C) $ You have to patch the kernel or load and compile the following module: http://www.securiteam.com/tools/5SP082K5GK.html (no-ptrace-module.c) The above is probably the better solution. But you can't beat patching the kernel, if it'll work - When are Debian going to release a DSA on this? :) I'm running 2.2.19 from when I upgraded from 2.2r2 and can't apt-get the kernel-source-2.2.19 and same for 2.2.20. Most annoying. I don't want to upgrade to 2.4.x yet. If I could get the source for 2.2.19 or 2.2.20 from Debian then I could copy the configuration file from /boot as .config and then just apply the kernel patch and make oldconfig without having to re-do the config again. Downloading the source from kernel.org and trying to use the config in /boot has 'new features' and things. (I'm not too confident at compiling the kernel and the default Debian one is fine!). Regards, David. -- David Ramsden http://portal.hexstream.eu.org/
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:40:44PM +0100, David Ramsden wrote: echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c I'd have to disagree with you there. I've done this to one Debian box (3.0 running 2.2.20) and it does stop the above exploit: $ echo /this/doesnt/exist /proc/sys/kernel/modprobe $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit $ ./isec-ptrace-kmod-exploit $ [+] Attached to 18765 (gets stuck here - have to use Ctrl+C) $ Can it be that you had loaded no-ptrace-module.o or someone patched your kernel? See: $ uname -r 2.4.19 $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit In file included from /usr/include/asm/user.h:5, from /usr/include/linux/user.h:1, from isec-ptrace-kmod-exploit.c:37: /usr/include/linux/ptrace.h:22: warning: `PTRACE_SYSCALL' redefined /usr/include/sys/ptrace.h:103: warning: this is the location of the previous definition (it's a very old machine, workes fine on others) $ id uid=1001(ch) gid=1005(ch) groups=1005(ch) $ ls -al isec-ptrace-kmod-exploit* -rwxr-xr-x1 ch ch 8964 Apr 1 17:46 isec-ptrace-kmod-exploit -rw-r--r--1 ch ch 3737 Apr 1 17:45 isec-ptrace-kmod-exploit.c $ ./isec-ptrace-kmod-exploit [+] Attached to 4660 [+] Waiting for signal [+] Signal caught [+] Shellcode placed at 0x4000ecb4 [+] Now wait for suid shell... sh-2.03# exit exit Q.E.D. :-) bye, -christian- -- That's one small step for man, one giant leap for mankind - first words of a human on the moon, Neil Armstrong 1969 Let's get this motherfucker out of here! - last words of a human on the moon, Eugene Cernan 1972
Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: David Ramsden [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] Can it be that you had loaded no-ptrace-module.o or someone patched your kernel? See: [snip] It's the 2.2.20 kernel from Debian (did an apt-get install of the .deb kernel-image package). I then did: echo '/this/doesnt/exist' /proc/sys/kernel/modprobe And tried what you did Christian. See below: $ uname -r 2.2.20 $ gcc ptrace-kmod.c -o ptrace-kmod $ ls -al ptrace-kmod* -rwxr-xr-x1 scarlet scarlet 9028 Apr 1 17:40 ptrace-kmod -rw-r--r--1 scarlet scarlet 3736 Apr 1 17:37 ptrace-kmod.c $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ ./ptrace-kmod [-] Unable to attach: Operation not permitted Killed $ ./ptrace-kmod $ ./ptrace-kmod [+] Attached to 25763 $ ./ptrace-kmod [+] Attached to 25770 $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ cat /proc/sys/kernel/modprobe /this/doesnt/exist $ I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't been patched. I can echo '/sbin/modprobe' /proc/sys/kernel/modprobe and try the above and I'll get a root prompt first time. Maybe it doesn't work for the 2.4.x kernel series? Can anyone else try this maybe and report back :-) Cheers. David.
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. Why? Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Marcin Owsiany ([EMAIL PROTECTED]) wrote: On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. Why? One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections.
Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 05:46:46PM +0100, David Ramsden wrote: I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't been patched. I can echo '/sbin/modprobe' /proc/sys/kernel/modprobe and try the above and I'll get a root prompt first time. Ok, I have to admit, that I'm unable to reproduce it now. Maybe it made an error the first time (I took the screen output and URLs in the last mail from an old email from me that I archived). But it's still the preferable solution as it does not break module autoloading :-) bye, -christian-
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Hi, David Barroso wrote: * Marcin Owsiany ([EMAIL PROTECTED]) wrote: On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. Why? One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. i have an old kernel with modules and didn't updated it, because of the ptrace bug. this is the reason why: www1:~# grep CAP_SYS_MODULE /etc/lids/lids.cap -16:CAP_SYS_MODULE www1:~# grep CAP_SYS_PTRACE /etc/lids/lids.cap -19:CAP_SYS_PTRACE For fun i tried the exploit, it didn't worked, it needs access to /proc. I gave that user access to /proc and tried it again. The user got logged out, i got an email. Regards, Ralf Dreibrodt -- MesosTelefon 49 221 4855798-1 Eupener Str. 150 Fax 49 221 4855798-9 50933 Koeln Mail[EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, 01 Apr 2003 at 07:49:29PM +0200, David Barroso wrote: One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. Ahh, yea. Assuming an intruder made his way in with root privs couldn't he also modify /dev/kmem or directly access the kernel memory by some other means? I beleive this topic has also been discussed in the past (dig deep into the archives) and it was concluded that not allowing modules to be loaded does not really protect you from your kernel being modified at run-time. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #35: Secretary plugged hairdryer into UPS pgpYQqJa4hNRZ.pgp Description: PGP signature
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Dariush Pietrzak ([EMAIL PROTECTED]) wrote: One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) True, but not in a so-automated way and definetively more advanced skills would be needed. It's not security-by-obscurity at all, it's only one layer of basic protection.
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, 01 Apr 2003 13:57:10 EST, Phillip Hofmeister writes: Assuming an intruder made his way in with root privs couldn't he also modify /dev/kmem or directly access the kernel memory by some other means? I beleive this topic has also been discussed in the past (dig deep into the archives) and it was concluded that not allowing modules to be loaded does not really protect you from your kernel being modified at run-time. Not allowing modules to be loaded doesn't protect you in much the same way as a solid oak door with a 1 deadbolt doesn't make your house secure. Security isn't an absolute all-or-nothing thing. More difficult to exploit == more secure. Less difficult to exploit == less secure. Good security design is about making it more secure. You don't try to make it completely secure, because that's impossible(*). You just make it more and more secure, until it is secure enough for the expected threats. Somebody with a chainsaw, welding torch, and/or lots of explosives can break into my house, even with my solid oak door. I don't use this as an excuse to not bother locking my door. --- Wade *Some people think that a computer with no network or power at the bottom of a well that's been filled with concrete is secure. I don't think so, I think that it's just going to take a little digging before a cracker can break into it.
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 01:57:10PM -0500, Phillip Hofmeister wrote: Assuming an intruder made his way in with root privs couldn't he also modify /dev/kmem or directly access the kernel memory by some other means? I beleive this topic has also been discussed in the past (dig deep into the archives) and it was concluded that not allowing modules to be loaded does not really protect you from your kernel being modified at run-time. You have to use grsec to close the others up. A grey hat friend of mine noted that a rootkit module was his favorite hack when he was in that line of work. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Maurizio Lemmo - Tannoiser wrote: On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: Does someone know where is debian about this issue ? http://lwn.net/Articles/25669/ i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported that patch, for work with kernel 2.4.18 (from debian). works for me. patch with: cd /path/to/source patch -p1 /path/to/patch you may find it here: http://erlug.linux.it/~tann/pkg/linux-2.4.18-ptrace-tann.patch (there also a kernel image bf2.4 with patch incorporated, if you trust me.. :) ) thanks, but isn't there a trick to surpass the bug while waiting for debian updates ? or won't be there a 2.4.18 update ? :) @+ -- DouRiX [Advertising copy. Where sentences are replaced by participle phrases. Noun phrases. And dangling conjunctions. Bleah. -- Kbob]
[Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Hi everybody, Does someone know where is debian about this issue ? http://lwn.net/Articles/25669/ I see that there is already an update but only for mips (http://www.debian.org/security/2003/dsa-270), do you know why ? Thanks in advance, -- DouRiX [Don't fear, Just play the game ... -- ] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: Does someone know where is debian about this issue ? http://lwn.net/Articles/25669/ i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported that patch, for work with kernel 2.4.18 (from debian). works for me. patch with: cd /path/to/source patch -p1 /path/to/patch you may find it here: http://erlug.linux.it/~tann/pkg/linux-2.4.18-ptrace-tann.patch (there also a kernel image bf2.4 with patch incorporated, if you trust me.. :) ) -- Master: You killed the girl that sought the Slayer? Xander: It was too easy. Willow: I felt cheap. --Buffy the Vampire Slayer: The Wish -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. same here...:( Why most this patch does is change kernel_thread into arch_kernel_thread? only usefull thing I see is addedd check for 'is_dumpable' in ptrace_check_attach, and is_dumpable macro that checks tsk and also tsk-mm for 'is_dumpable'. Is this ok? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
On Tue, 2003-03-18 at 08:04, Giacomo Mulas wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Hi, I've a unofficial Debian package called kernel-patch-ptrace in my own deb repository[1].It was tested on i386, the patch applies fine over kernel-source-2.4.20 package.Feel free to use it at your own risk and send me any feedback. Only two modifications from the original patch by Alan Cox: - The arch/um was commented because kernel-source-2.4.20 doesn't have user mode linux! - The third hunk of sched.h was commented because the associated function wasn't found in kernel-source-2.4.20. [1] = deb http://legolas.alternex.com.br/~stratus/debian/ ./ Cheers, -- Gustavo Franco [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. same here...:( Why most this patch does is change kernel_thread into arch_kernel_thread? only usefull thing I see is addedd check for 'is_dumpable' in ptrace_check_attach, and is_dumpable macro that checks tsk and also tsk-mm for 'is_dumpable'. Is this ok? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: ptrace vulnerability?
On Tue, 2003-03-18 at 08:04, Giacomo Mulas wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Hi, I've a unofficial Debian package called kernel-patch-ptrace in my own deb repository[1].It was tested on i386, the patch applies fine over kernel-source-2.4.20 package.Feel free to use it at your own risk and send me any feedback. Only two modifications from the original patch by Alan Cox: - The arch/um was commented because kernel-source-2.4.20 doesn't have user mode linux! - The third hunk of sched.h was commented because the associated function wasn't found in kernel-source-2.4.20. [1] = deb http://legolas.alternex.com.br/~stratus/debian/ ./ Cheers, -- Gustavo Franco [EMAIL PROTECTED]
ptrace vulnerability?
Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
Le mar 18/03/2003 à 13:04, Giacomo Mulas a écrit : On Tue, 18 Mar 2003, Giacomo Mulas wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Apparently the kernel source debian package maintainer already answered my previous question in the best possible way, making available the patched package immediately. The responsivity of the Debian community is really something to be proud about: thanks Herbert! Hi, what packages are available *exactly* and where? I don't see any upgrade in security nor any DSA... Thanks, SEb Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- Sebastien Chaumat [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. --On Tuesday, March 18, 2003 12:04 PM +0100 Giacomo Mulas [EMAIL PROTECTED] wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Rashaad Jackson UNIX Systems Administrator 3556 Samuel T. Dana Building(W) 734.615.1422 Ann Arbor, MI 48109 (M) 734.649.6641 http://www.umich.edu/~jrashaad (F) 734.763.8965 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.SThu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp$29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq$30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.cThu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN linux.orig/arch/cris/kernel/entry.S linux/arch/cris/kernel/entry.S --- linux.orig/arch/cris/kernel/entry.S Thu Mar 13 12:01:29 2003 +++ linux/arch/cris/kernel/entry.S Thu Mar 13 13:30:30 2003 @@ -736,12 +736,12 @@ hw_bp_trig_ptr: * the grosser the code, at least with the gcc version in cris-dist-1.13. */ -/* int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) */ +/* int arch_kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) */ /* r10r11 r12 */ .text - .global kernel_thread -kernel_thread: + .global arch_kernel_thread +arch_kernel_thread: /* Save ARG for later. */ move.d $r11, $r13 diff -purN linux.orig/arch/i386/kernel/process.c linux/arch/i386/kernel/process.c --- linux.orig/arch/i386/kernel/process.c Thu Mar 13 12:01:57 2003 +++ linux/arch/i386/kernel/process.cThu Mar 13 13:26:08 2003 @@ -495,7 +495,7 @@ void release_segments(struct mm_struct * /* * Create a kernel thread */ -int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) +int arch_kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) { long retval, d0; @@ -518,6 +518,7 @@ int kernel_thread(int (*fn)(void *), voi r (arg), r (fn), b (flags | CLONE_VM) : memory); + return retval; } diff -purN linux.orig/arch/ia64/kernel/process.c linux/arch/ia64/kernel/process.c --- linux.orig/arch/ia64/kernel/process.c Thu Mar 13 12:01:29 2003 +++ linux/arch/ia64/kernel/process.cThu Mar 13 13:26:15 2003 @@ -220,7 +220,7 @@ ia64_load_extra (struct task_struct *tas * | | -- sp (lowest addr) * +-+ * - * Note: if we get called through kernel_thread() then the memory + * Note: if we get called through arch_kernel_thread() then the memory * above (highest addr) is valid kernel stack memory that needs to * be copied as well. * @@ -469,7 +469,7 @@ ia64_set_personality (struct elf64_hdr * } pid_t -kernel_thread (int (*fn)(void *), void *arg, unsigned long flags) +arch_kernel_thread (int (*fn)(void *), void *arg
Re: ptrace vulnerability?
You could try this link http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html but I am not sure if it meets your criteria of authoritive. From: Phillip Hofmeister [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: ptrace vulnerability? Date: Tue, 18 Mar 2003 17:09:10 -0500 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc3-f29.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 14:49:44 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 25DCF1FABD; Tue, 18 Mar 2003 16:25:59 -0600 (CST) Received: from Oneil (66.227.150.91.bay.mi.chartermi.net [66.227.150.91])by murphy.debian.org (Postfix) with ESMTP id 8BD381F9C4for [EMAIL PROTECTED]; Tue, 18 Mar 2003 16:09:10 -0600 (CST) Received: from plhofmei by Oneil with local (Exim 3.35 #1 (Debian))id 18vPGg-OE-00for [EMAIL PROTECTED]; Tue, 18 Mar 2003 17:09:10 -0500 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.4i X-Spam-Status: No, hits=-2.9 required=4.0tests=IN_REP_TO,PGP_SIGNATURE_2,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTTversion=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/11161 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 16:25:59 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 22:49:46.0703 (UTC) FILETIME=[ACA7E5F0:01C2EDA0] I usually make it a habit of only applying patches that come from seemingly authoritive sites. Could anyone make a reference to an authoritive site that would contain this patch? I have been snooping around kernel.org with no success... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #125: Dumb terminal attach3 _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. From: Mark Janssen [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Jason Rashaad Jackson [EMAIL PROTECTED] CC: Giacomo Mulas [EMAIL PROTECTED],[EMAIL PROTECTED] Subject: Re: ptrace vulnerability? Date: 18 Mar 2003 22:11:38 +0100 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc10-f17.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 13:42:41 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 826EA1FA98; Tue, 18 Mar 2003 15:33:00 -0600 (CST) Received: from maniac.nl (cust.13.118.adsl.cistron.nl [62.216.13.118])by murphy.debian.org (Postfix) with ESMTP id 7E3991F3D4for [EMAIL PROTECTED]; Tue, 18 Mar 2003 15:13:46 -0600 (CST) Received: from local-3.saiko.com ([:::10.0.0.3]) by maniac.nl with esmtp; Tue, 18 Mar 2003 22:13:15 +0100 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Organization: Saiko Internet Technologies Message-Id: [EMAIL PROTECTED] X-Mailer: Ximian Evolution 1.2.2 X-Spam-Status: No, hits=-1.4 required=4.0tests=IN_REP_TO,PATCH_UNIFIED_DIFF,REFERENCES,SPAM_PHRASE_00_01version=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/11159 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 15:33:00 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 21:42:41.0898 (UTC) FILETIME=[4DAF64A0:01C2ED97] On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.S Thu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp $29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq $30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.c Thu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN linux.orig/arch/cris/kernel/entry.S linux/arch/cris/kernel/entry.S --- linux.orig/arch/cris/kernel/entry.S Thu Mar 13 12:01:29 2003 +++ linux/arch/cris/kernel/entry.S Thu
Re: ptrace vulnerability?
New one. The attached module seems to block the currently circulating exploit, I didn't write it so don't email me if it breaks your system. On Tuesday 18 March 2003 17:39, Steve Meyer wrote: Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. -- -- Orlando Padilla http://www.g0thead.com/xbud.asc To alcohol! The Cause of AND solution to all of life's problems. Alcohol is a way of life. Alcohol is my way of life, and I aim to keep it. -Homer Simpson -- block_ptrees.tgz Description: application/tgz
Re: ptrace vulnerability?
Does anyone know the ETA of the official patch? _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ptrace vulnerability?
Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: ptrace vulnerability?
On Tue, 18 Mar 2003, Giacomo Mulas wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Apparently the kernel source debian package maintainer already answered my previous question in the best possible way, making available the patched package immediately. The responsivity of the Debian community is really something to be proud about: thanks Herbert! Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: ptrace vulnerability?
Le mar 18/03/2003 à 13:04, Giacomo Mulas a écrit : On Tue, 18 Mar 2003, Giacomo Mulas wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Apparently the kernel source debian package maintainer already answered my previous question in the best possible way, making available the patched package immediately. The responsivity of the Debian community is really something to be proud about: thanks Herbert! Hi, what packages are available *exactly* and where? I don't see any upgrade in security nor any DSA... Thanks, SEb Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- Sebastien Chaumat [EMAIL PROTECTED]
Re: ptrace vulnerability?
His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. --On Tuesday, March 18, 2003 12:04 PM +0100 Giacomo Mulas [EMAIL PROTECTED] wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Rashaad Jackson UNIX Systems Administrator 3556 Samuel T. Dana Building(W) 734.615.1422 Ann Arbor, MI 48109 (M) 734.649.6641 http://www.umich.edu/~jrashaad (F) 734.763.8965
Re: [despammed] Re: ptrace vulnerability?
Tuesday, March 18, 2003, 3:40:40 PM, Jason Rashaad Jackson (Jason) wrote: Jason His announcement is Slashdotted, and I'm seeing no notice of which versions Jason are affected! I'm running 2.4.18 on all my Debian servers, please tell me Jason what's going on. http://www.uwsg.indiana.edu/hypermail/linux/kernel/0303.2/0226.html Looks like all 2.2 and 2.4 are affected. The patch for 2.4 is in the email. --- | Eddie J Schwartz [EMAIL PROTECTED] http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing. - Dax, ST-DS9 | ---
Re: ptrace vulnerability?
On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.SThu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp$29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq$30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.cThu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN linux.orig/arch/cris/kernel/entry.S linux/arch/cris/kernel/entry.S --- linux.orig/arch/cris/kernel/entry.S Thu Mar 13 12:01:29 2003 +++ linux/arch/cris/kernel/entry.S Thu Mar 13 13:30:30 2003 @@ -736,12 +736,12 @@ hw_bp_trig_ptr: * the grosser the code, at least with the gcc version in cris-dist-1.13. */ -/* int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) */ +/* int arch_kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) */ /* r10r11 r12 */ .text - .global kernel_thread -kernel_thread: + .global arch_kernel_thread +arch_kernel_thread: /* Save ARG for later. */ move.d $r11, $r13 diff -purN linux.orig/arch/i386/kernel/process.c linux/arch/i386/kernel/process.c --- linux.orig/arch/i386/kernel/process.c Thu Mar 13 12:01:57 2003 +++ linux/arch/i386/kernel/process.cThu Mar 13 13:26:08 2003 @@ -495,7 +495,7 @@ void release_segments(struct mm_struct * /* * Create a kernel thread */ -int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) +int arch_kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) { long retval, d0; @@ -518,6 +518,7 @@ int kernel_thread(int (*fn)(void *), voi r (arg), r (fn), b (flags | CLONE_VM) : memory); + return retval; } diff -purN linux.orig/arch/ia64/kernel/process.c linux/arch/ia64/kernel/process.c --- linux.orig/arch/ia64/kernel/process.c Thu Mar 13 12:01:29 2003 +++ linux/arch/ia64/kernel/process.cThu Mar 13 13:26:15 2003 @@ -220,7 +220,7 @@ ia64_load_extra (struct task_struct *tas * | | -- sp (lowest addr) * +-+ * - * Note: if we get called through kernel_thread() then the memory + * Note: if we get called through arch_kernel_thread() then the memory * above (highest addr) is valid kernel stack memory that needs to * be copied as well. * @@ -469,7 +469,7 @@ ia64_set_personality (struct elf64_hdr * } pid_t -kernel_thread (int (*fn)(void *), void *arg, unsigned long flags) +arch_kernel_thread (int (*fn)(void *), void
Re: ptrace vulnerability?
I usually make it a habit of only applying patches that come from seemingly authoritive sites. Could anyone make a reference to an authoritive site that would contain this patch? I have been snooping around kernel.org with no success... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #125: Dumb terminal pgp3ZJWZpM6mC.pgp Description: PGP signature
Re: ptrace vulnerability?
You could try this link http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html but I am not sure if it meets your criteria of authoritive. From: Phillip Hofmeister [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Re: ptrace vulnerability? Date: Tue, 18 Mar 2003 17:09:10 -0500 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc3-f29.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 14:49:44 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 25DCF1FABD; Tue, 18 Mar 2003 16:25:59 -0600 (CST) Received: from Oneil (66.227.150.91.bay.mi.chartermi.net [66.227.150.91])by murphy.debian.org (Postfix) with ESMTP id 8BD381F9C4for debian-security@lists.debian.org; Tue, 18 Mar 2003 16:09:10 -0600 (CST) Received: from plhofmei by Oneil with local (Exim 3.35 #1 (Debian))id 18vPGg-OE-00for debian-security@lists.debian.org; Tue, 18 Mar 2003 17:09:10 -0500 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: debian-security@lists.debian.org References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.4i X-Spam-Status: No, hits=-2.9 required=4.0tests=IN_REP_TO,PGP_SIGNATURE_2,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTTversion=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/11161 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 16:25:59 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 22:49:46.0703 (UTC) FILETIME=[ACA7E5F0:01C2EDA0] I usually make it a habit of only applying patches that come from seemingly authoritive sites. Could anyone make a reference to an authoritive site that would contain this patch? I have been snooping around kernel.org with no success... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #125: Dumb terminal attach3 _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: ptrace vulnerability?
Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. From: Mark Janssen [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Jason Rashaad Jackson [EMAIL PROTECTED] CC: Giacomo Mulas [EMAIL PROTECTED],debian-security@lists.debian.org Subject: Re: ptrace vulnerability? Date: 18 Mar 2003 22:11:38 +0100 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc10-f17.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 13:42:41 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 826EA1FA98; Tue, 18 Mar 2003 15:33:00 -0600 (CST) Received: from maniac.nl (cust.13.118.adsl.cistron.nl [62.216.13.118])by murphy.debian.org (Postfix) with ESMTP id 7E3991F3D4for debian-security@lists.debian.org; Tue, 18 Mar 2003 15:13:46 -0600 (CST) Received: from local-3.saiko.com ([:::10.0.0.3]) by maniac.nl with esmtp; Tue, 18 Mar 2003 22:13:15 +0100 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Organization: Saiko Internet Technologies Message-Id: [EMAIL PROTECTED] X-Mailer: Ximian Evolution 1.2.2 X-Spam-Status: No, hits=-1.4 required=4.0tests=IN_REP_TO,PATCH_UNIFIED_DIFF,REFERENCES,SPAM_PHRASE_00_01version=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/11159 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 15:33:00 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 21:42:41.0898 (UTC) FILETIME=[4DAF64A0:01C2ED97] On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.SThu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp$29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq$30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.cThu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN
Re: ptrace vulnerability?
New one. The attached module seems to block the currently circulating exploit, I didn't write it so don't email me if it breaks your system. On Tuesday 18 March 2003 17:39, Steve Meyer wrote: Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. -- -- Orlando Padilla http://www.g0thead.com/xbud.asc To alcohol! The Cause of AND solution to all of life's problems. Alcohol is a way of life. Alcohol is my way of life, and I aim to keep it. -Homer Simpson -- block_ptrees.tgz Description: application/tgz