ptrace exploit still works after kernel update
Hi, I installed the kernel update k_deflt-2.4.19-274 from SuSE-SA:2003:021 on my SuSE 8.1 system. The system rebooted normal after install. The exploit from http://sinuspl.net/ptrace/isec-ptrace-kmod-exploit.c still works and gives me a root shell under the new kernel! rpm -qf /boot/vmlinuz shows k_deflt-2.4.19-274 The boot manager is grub. Does the kernel update not fix this bug correctly? -- Andreas Tetzl <andreas@tetzl.de>
Andreas Tetzl wrote:
Hi,
I installed the kernel update k_deflt-2.4.19-274 from SuSE-SA:2003:021 on my SuSE 8.1 system. The system rebooted normal after install.
The exploit from http://sinuspl.net/ptrace/isec-ptrace-kmod-exploit.c still works and gives me a root shell under the new kernel!
rpm -qf /boot/vmlinuz shows k_deflt-2.4.19-274 The boot manager is grub.
and uname -r reports 2.4.19-4GB?
Does the kernel update not fix this bug correctly?
cannot confirm what you said. I tested the 'exploit' on my patched 8.1 and my unpatched 7.3, didn't work on both boxes. The "original" exploit (km3.c) works on my 7.3. and not on the patched 8.1, so i would say it is fixed. Regards, Sven
--- Sven 'Darkman' Michels <sven@darkman.de> wrote:
Does the kernel update not fix this bug correctly?
cannot confirm what you said. I tested the 'exploit' on my patched 8.1 and my unpatched 7.3, didn't work on both boxes. The "original" exploit (km3.c) works on my 7.3. and not on the patched 8.1, so i would say it is fixed.
BTW, did anyone manage to make the km3.c exploit work on a default 8.0 ? I tried on two PCs, one upgraded from 7.3 and the other clean install, and both seem to be safe against this exploit... Cheers Eduard __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
For me it only works for SuSE Kernel 2.4.16-4GB delivered for SuSE 7.3. 2.4.18-4GB of 8.0 and 2.4.19-4GB of 8.1 seem to be "safe" against THIS particular exploit. (All the "old" unpatched versions...) Does anybody have an exploit for these kernels? On Mittwoch, 26. März 2003 21:43, Eduard Avetisyan wrote:
BTW, did anyone manage to make the km3.c exploit work on a default 8.0 ? I tried on two PCs, one upgraded from 7.3 and the other clean install, and both seem to be safe against this exploit...
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
On Wed, Mar 26, 2003 at 10:01:59PM +0100, David Huecking wrote:
For me it only works for SuSE Kernel 2.4.16-4GB delivered for SuSE 7.3. 2.4.18-4GB of 8.0 and 2.4.19-4GB of 8.1 seem to be "safe" against THIS particular exploit. (All the "old" unpatched versions...) Does anybody have an exploit for these kernels?
no. this exploit works. but since it exploits a race, it may need many tries or a different timing on fast cpus. on one SuSE 8.1 here it _seemed_ not to work at first (ran for minutes). I inserted some fprintf's (thus altered the timing), and whoops, second try succeeds. new kernel from SuSE (or kernel.org 2.4.20 with patch) solves this. If suse tells you to upgrade the kernel to avoid a local root exploit, I think you should do so. they won't tell you to, if their kernel was not vulnerable. Lars
hi, how can i test if my machine is vulnerable to this exploit? i run a suse 7.0 and a 7.2 and a 7.3. sincerely benjamin -----Ursprungliche Nachricht----- Von: Sven 'Darkman' Michels [mailto:sven@darkman.de] Gesendet: Mittwoch, 26. Marz 2003 20:25 An: suse-security@suse.com Betreff: Re: [suse-security] ptrace exploit still works after kernel update Andreas Tetzl wrote:
Hi,
I installed the kernel update k_deflt-2.4.19-274 from SuSE-SA:2003:021 on my SuSE 8.1 system. The system rebooted normal after install.
The exploit from http://sinuspl.net/ptrace/isec-ptrace-kmod-exploit.c still works and gives me a root shell under the new kernel!
rpm -qf /boot/vmlinuz shows k_deflt-2.4.19-274 The boot manager is grub.
and uname -r reports 2.4.19-4GB?
Does the kernel update not fix this bug correctly?
cannot confirm what you said. I tested the 'exploit' on my patched 8.1 and my unpatched 7.3, didn't work on both boxes. The "original" exploit (km3.c) works on my 7.3. and not on the patched 8.1, so i would say it is fixed. Regards, Sven -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
I rebooted another time and the exploit does not work any more. I tried the exploit several times after the update and also rebooted several times and it worked. I don't know what was wrong. Thank you and sorry for bothering, -- Andreas Tetzl <andreas@tetzl.de>
Andreas Tetzl wrote:
I rebooted another time and the exploit does not work any more.
I tried the exploit several times after the update and also rebooted several times and it worked. I don't know what was wrong.
Thank you and sorry for bothering,
no problem, would be nice to know if it really doesn't work (think on romans comment about the first suggested patch doesn't work correctly...) if you found some more informations or so, let us know :) regards, Sven
On 03/26/2003 08:41 PM, Andreas Tetzl wrote:
I rebooted another time and the exploit does not work any more.
I tried the exploit several times after the update and also rebooted several times and it worked. I don't know what was wrong.
AFAIK the exploit sets itself setuid-root, the first time it works. Benedikt Wilbertz
On 03/26/2003 08:41 PM, Andreas Tetzl wrote:
I rebooted another time and the exploit does not work any more.
I tried the exploit several times after the update and also rebooted several times and it worked. I don't know what was wrong.
AFAIK the exploit sets itself setuid-root, the first time it works.
That's it! I recompiled the exploit before running it the last time, this removed the setuid-root. -- Andreas Tetzl <andreas@tetzl.de>
participants (7)
-
Andreas Tetzl -
Benedikt Wilbertz -
Benjamin Elixmann -
David Huecking -
Eduard Avetisyan -
Lars Ellenberg -
Sven 'Darkman' Michels