Re: [suse-security] suse 8.1 : ptrace exploit still working fine!?
Kastus <NOSPAM@tprfct.net> wrote:
On Sun, Nov 30, 2003 at 12:48:23AM +0100, Olivier M. wrote:
A suse 8.1 based server has been cracked, and the "visitor" left all his tools, so I've been able to play with it as well. The server was kept "up to date", but look at that:
om@box:~/tmp> uname -a Linux box 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This date looks suspicious. The kernel from k_deflt-2.4.19-340 has time stamp Mon Aug 4 23:38:42 UTC 2003
om@box:~/tmp> rpm -qa|grep k_ k_deflt-2.4.19-340
I doubt the kernel you are running belongs to this package. Did you try to verify k_deflt package? What's the output of rpm -V k_deflt ?
Also check your bootloader, what kernel is actually gets booted.
Regards, -Kastus
--
Hi Kastus and Olivier, I am running SuSE 8.1 with k-deflt-2.4.19-340 on my box. As Kastus pointed out, when I do uname -a on a Konsole, I get: [gar@box1 gar]$ uname -a Linux gandalf 2.4.19-4GB #1 Mon Aug 4 23:38:42 UTC 2003 i686 unknown [gar@gandalf gar]$ How do you have: Linux box 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown ???? However,Oliver,if you really think your box has been cracked because of a ptrace exploit, in addition to posting to this list, send a copy to: security@suse.de as I am sure Roman and his Team will want to know. See: http://www.suse.de/de/security/contact/index.html (In fact I think they would have preferred you wrote to them first, but that's your call.) Hope this helps, Gar -- In the Beginning was the Command Line ---Neal Stephenson -- __________________________________________________________________ McAfee VirusScan Online from the Netscape Network. Comprehensive protection for your entire computer. Get your free trial today! http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397 Get AOL Instant Messenger 5.1 free of charge. Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455
On Sun, Nov 30, 2003 at 04:51:54AM -0500, GarUlbricht7@netscape.net wrote:
However,Oliver,if you really think your box has been cracked because of a ptrace exploit, in addition to posting to this list, send a copy to:
security@suse.de
Ok, I will later today.
(In fact I think they would have preferred you wrote to them first, but that's your call.)
I think just "writing" here is fine: it would be different If I had attached the exploit binary to my message... Before writing to suse, I'd like to make some more checks, and find another test server with suse 8.1: but all the other servers runs 8.2 or newer :/ regards, Olivier -- _________________________________________________________________ Olivier Mueller - om@8304.ch - PGPkeyID: 0E84D2EA - Switzerland
On Sun, Nov 30, 2003 at 01:22:31PM +0100, Olivier M. wrote:
Before writing to suse, I'd like to make some more checks, and find another test server with suse 8.1: but all the other servers runs 8.2 or newer :/
Before writing to SUSE, could you please reboot your box and see if your exploit works? Even if you update the system regularly, kernel updates are different from all the rest as kernel updates require a reboot. If you haven't rebooted since installation of 2.4.19-340 kernel, you are still running an old vulnerable kernel. Regards, -Kastus
participants (3)
-
GarUlbricht7@netscape.net -
Kastus -
Olivier M.