On Thu, 17 Mar 2005 10:50:22 +0100
Adam Zaleski <[EMAIL PROTECTED]> wrote:
> Hello,
>
> Yesterday my Trustix Secure Linux v 2.2 has been hacked.
> The bug is old. Why its still exist under Trustix??
testet with trustix-2.2 UML honeypot:
./gcc
+---> /bin/sh -c gcc -shared -o /tmp/nst.nfo /tmp/nst.c; rm -f /tmp/nst.c
| +---> /usr/bin/gcc -shared -o /tmp/nst.nfo /tmp/nst.c
| | +---> cc1, as, collect2, ld
| +---> /bin/rm -f /tmp/nst.c
+---> /bin/sh -c LD_PRELOAD=/tmp/nst.nfo /bin/sh
ok, so whats nst.c:
int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }
starting a shell with this LD_PRELOAD wrapper, that fakes all ids to 0 (root).
[EMAIL PROTECTED] /tmp$ LD_PRELOAD=/tmp/nst.nfo /bin/bash
[EMAIL PROTECTED] /tmp# id
uid=0(root) gid=0(root) groups=0(root),10(wheel),100(users)
[EMAIL PROTECTED] /tmp# cd /root
bash: cd: /root: Permission denied
[EMAIL PROTECTED] /tmp# ifconfig eth0 down
SIOCSIFFLAGS: Permission denied
-> userspace *thinks* it is root, but kernel *knows* it is NOT.
I'm not an expert, and only guessing, but this looks like a fake exploit?!
(not testet on *real* tsl, and haven't compared Filesystem before/after)
Olaf
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
