[TOOL] No Ptrace Module (NPT)
From: support@securiteam.comDate: 09/11/01
- Previous message: support@securiteam.com: "[NEWS] The Dos and Don'ts of Client Authentication on the Web"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [TOOL] No Ptrace Module (NPT) Message-Id: <20010911080908.35FDD138C0@mail.der-keiler.de> Date: Tue, 11 Sep 2001 10:09:08 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
No Ptrace Module (NPT)
------------------------------------------------------------------------
DETAILS
The following tool will disable ptrace for non-root users. Even though it
doesn't prevent exploitation of the ptrace vulnerability (
<http://www.securiteam.com/exploits/5NP061P4AW.html> PTrace Improved
Exploit Code Released (Race condition)), it will stop it from running
successfully.
Tool:
/* no ptrace module
fast prevention for kernel bug
(c) 2001 a Lam3rZ oddysey
*/
#define MODULE
#define __KERNEL__
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/unistd.h>
#include <sys/syscall.h>
#ifndef KERNEL_VERSION
#define KERNEL_VERSION(a,b,c) ((a)*65536+(b)*256+(c))
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0)
#include <asm/unistd.h>
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,14)
#include <bits/syscall.h>
#endif
extern void *sys_call_table[];
int (*orig_ptrace)(int, int, int, int);
int no_ptrace (int request, int pid, int addr, int data) {
if (current->euid ==0 ) {
return (orig_ptrace)(request, pid, addr, data);
} else
return -1;
}
int init_module(void) {
orig_ptrace = sys_call_table[__NR_ptrace];
sys_call_table[__NR_ptrace]=no_ptrace;
return 0;
}
void cleanup_module(void) {
sys_call_table[__NR_ptrace]=orig_ptrace;
}
Tool add-up:
Adding something like:
printk("ptrace(): uid=%d, comm=%s\n", current->uid, current->comm);
Before ,,return'' helps spot potential abusers.
ADDITIONAL INFORMATION
The information has been provided by <mailto:emsi@ipartners.pl> Mariusz
Woloszyn and <mailto:wojtekka@bydg.pdi.net> Wojtek Kaniewski.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] The Dos and Don'ts of Client Authentication on the Web"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
