RE: latest ptrace hole patch?
From: Jeremy Gaddis (jeremy@gaddis.org)
Date: 03/25/03
- Previous message: Shackleford, Dave: "RE: Seeing who has su-ed"
- In reply to: SB CH: "Re: latest ptrace hole patch?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jeremy Gaddis" <jeremy@gaddis.org> To: <focus-linux@securityfocus.com> Date: Mon, 24 Mar 2003 20:15:45 -0500
> -----Original Message-----
> From: SB CH [mailto:chulmin2@hotmail.com]
> Sent: Thursday, March 20, 2003 9:32 PM
> To: focus-linux@securityfocus.com
> Cc: ch@debian.org
> Subject: Re: latest ptrace hole patch?
>
> Hello, list.
>
> I downloaded hardlock patch too like below.
> http://www.hardrock.org/kernel/2.4.20/linux-2.4.20-ptrace.patch
>
> But I can gain root privilege too against this patched kernel too.
>
> please test the exploit code which is at http://www.hack.co.za/
I tested the exploited previously posted to bugtraq (km3.c) by
anszom@v-lo.krakow.pl against a variety of Linux machines
(Slackware 8.0, Red Hat Linux 7.0, multiple Debian 3.0) and
each one was exploitable when using the stock kernels.
I applied this same patch to two of my Debian 3.0 machines
and recompiled their kernels. Neither appear vulnerable to
this exploit now. With the patched kernels, running the
above-mentioned exploit simply results in it repeatedly
forking.
Unpatched Red Hat Linux 7.0 with stock kernel:
[jeremy@venus:pts/1:~/security]$ ./km3
Linux kmod + ptrace local root exploit by <anszom@v-lo.krakow.pl>
=> Simple mode, executing /usr/bin/id > /dev/tty
sizeof(shellcode)=95
=> Child process started.+ 27934
uid=0(root) gid=0(root) groups=1002(jeremy)
- 27934 ok!
[jeremy@venus:pts/1:~/security]$
Patched (using above patch) Debian Linux 3.0:
[jeremy@MERCURY:pts/0:~/security]$ ./km3
Linux kmod + ptrace local root exploit by <anszom@v-lo.krakow.pl>
=> Simple mode, executing /usr/bin/id > /dev/tty
sizeof(shellcode)=95
=> Child process started..........
=> Child process started..........
=> Child process started..........
=> Child process started..........
=> Child process started..........
=> Child process started..........
=> Child process started..........
=> Child process started. (^C issued at this point)
[jeremy@MERCURY:pts/0:~/security]$
I didn't test any exploit available at www.hack.co.za as I
wasn't able to connect to that webserver for an unknown reason.
j.
-- Jeremy L. Gaddis <jeremy@gaddis.org> <http://www.gaddis.org>
- Previous message: Shackleford, Dave: "RE: Seeing who has su-ed"
- In reply to: SB CH: "Re: latest ptrace hole patch?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
