Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] suse 8.1 : ptrace exploit still working fine!?
  • From: GertJan Spoelman <nobody@xxxxxxxxxxxxxxxxx>
  • Date: Sun, 30 Nov 2003 15:10:43 +0100
  • Message-id: <200311301510.43278@xxxxxx>
On Sunday 30 November 2003 13:19, Olivier M. wrote:
> Hi & thx for the feedback,
>
> On Sat, Nov 29, 2003 at 05:00:30PM -0800, Kastus wrote:
> > > Linux box 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > This date looks suspicious.
> > The kernel from k_deflt-2.4.19-340 has time stamp Mon Aug 4 23:38:42 UTC
> > 2003
>
> interesting...
>
> > > om@box:~/tmp> rpm -qa|grep k_
> > > k_deflt-2.4.19-340
> >
> > I doubt the kernel you are running belongs to this package.
> > Did you try to verify k_deflt package? What's the output of
> > rpm -V k_deflt ?
>
> box:~ # rpm -V k_deflt
> .......T /lib/modules/2.4.19-4GB/kernel/drivers/char/i810_rng.o
> .......T /lib/modules/2.4.19-4GB/kernel/drivers/char/i8k.o
> .......T /lib/modules/2.4.19-4GB/kernel/drivers/char/ip2.o
> .......T /lib/modules/2.4.19-4GB/kernel/drivers/mtd/mtdchar.o
> .......T /lib/modules/2.4.19-4GB/kernel/drivers/mtd/mtdconcat.o
> .......T /lib/modules/2.4.19-4GB/kernel/drivers/mtd/mtdcore.o
> .......T /lib/modules/2.4.19-4GB/kernel/drivers/mtd/mtdpart.o
> .......T /lib/modules/2.4.19-4GB/kernel/drivers/net/arlan-proc.o
> .......T /lib/modules/2.4.19-4GB/modules.dep
> .......T /lib/modules/2.4.19-4GB/modules.generic_string
> .......T /lib/modules/2.4.19-4GB/modules.ieee1394map
> .......T /lib/modules/2.4.19-4GB/modules.parportmap
> .......T /lib/modules/2.4.19-4GB/modules.pnpbiosmap
>
> so just "timestamps" problems...

No not just timestamps problems, that timestamp is embedded in the kernel, so
you are actually still running an older kernel which still has the exploit.
The fact that rpm -V checks out ok does not mean you are running that kernel,
it ony means that you indeed installed the update, to run the new kernel your
bootloader has to point to it and you must reboot.
Did you reboot that machine after updating the kernel?

> box:~ # rpm -qf /boot/vmlinuz
> k_deflt-2.4.19-340
> box:~ # uname -a
> Linux box 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
> box:~ # ls -la /boot/vmlinuz
> -rw-r--r-- 1 root root 1191127 Aug 5 01:43 /boot/vmlinuz
> box:~ # md5sum /boot/vmlinuz
> e61b2a82e9089e8ca4dea2ed8ecbb0a1 /boot/vmlinuz
>
> > Also check your bootloader, what kernel is actually gets booted.
>
> looks fine, setup is quite "standard": no special things:
>
> box:~ # more /boot/grub/menu.lst
> default 0
> title linux
> kernel (hd0,0)/vmlinuz root=/dev/cciss/c0d0p3 vga=788
> initrd (hd0,0)/initrd
>
> regards,
> Olivier

--

GertJan

Email address is invalid, so don't reply directly, I'm on the list.


< Previous Next >
Follow Ups