Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
suse 8.1 : ptrace exploit still working fine!?
  • From: "Olivier M." <qmail@xxxxxxxxxxxxx>
  • Date: Sun, 30 Nov 2003 00:48:23 +0100
  • Message-id: <20031130004823.I7509@xxxxxxxxxxxxx>

A suse 8.1 based server has been cracked, and the "visitor" left
all his tools, so I've been able to play with it as well.
The server was kept "up to date", but look at that:

om@box:~/tmp> uname -a
Linux box 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown

om@box:~/tmp> cat /etc/issue
Welcome to SuSE Linux 8.1 (i386) - Kernel \r (\l).

om@box:~/tmp> rpm -qa|grep k_
k_deflt-2.4.19-340

om@box:~/tmp> id
uid=400(om) gid=500(nofiles) groups=500(nofiles)

om@box:~/tmp> ./ptrace
[*] PID of Parent: 22768
[*] PID of Child: 22769
[*] Attaching to PID 22770
[*] Got registers!
[!] EIP: 0x4000eaed
[!] ESP: 0xbffffa48
[!] EBP: 0xffffffda
[!] EAX: 0xbffffa8c
[!] EBX: 0xbffffc74
[!] ECX: 0xbfffff7c
[!] EDX: 0x400130ec
[!] EDI: 0x00000000
[!] ESI: 0x400135fc
[*] Injecting shellcode (0x4000eaed)
[*] Detaching from PID 22770
[*] Voila baby, entering rootshell!
sh-2.05b# [*] waiting for SIGCHLD...
sh-2.05b# id
uid=0(root2) gid=0(root) groups=500(nofiles)
sh-2.05b#


Well... I thought that ptrace problem has been fixed... ?
(in suse 8.2 it's fine, the exploit is not working)

Regards,
Olivier
--
_________________________________________________________________
Olivier Mueller - om@xxxxxxx - PGPkeyID: 0E84D2EA - Switzerland

< Previous Next >
Follow Ups