Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
Re: [suse-security] suse 8.1 : ptrace exploit still working fine!?MAybe sligthly OT.
  • From: GarUlbricht7@xxxxxxxxxxxx
  • Date: Wed, 03 Dec 2003 18:12:46 -0500
  • Message-id: <44660299.4697FB0F.16F823AE@xxxxxxxxxxxx>
Markus Gaugusch <markus@xxxxxxxxxxx> wrote:
>
>On Dec 3, Dirk Schreiner <dirk.schreiner@xxxxxxx> wrote:
>
>> Hi,
>>
>> so what do we learn about this?
>> Never do a automatic Update and run YOU interactive.
>> [...]
----<text snipped>---

Hi,

I agree with Markus, fou4s is a good tool, and I use it.

But the problem here was deeper than automatic updates,

In Oliver's original post he stated:
#
# Subject:[suse-security] suse 8.1 : ptrace exploit still working fine!?
# Date: Sat, 29 Nov 2003 6:48:23 PM EST
# From: "Olivier M." <qmail@xxxxxxxxxxxxx>
# To: suse-security@xxxxxxxx
#
# A suse 8.1 based server has been cracked,
# and the "visitor" left all his tools,
# so I've been able to play with it as well.
#
# The server was kept "up to date", but look at that:
#
# om@box:~/tmp> uname -a
# Linux box 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
#
---<text snipped>---

That date is over a year ago,
I am running 8.1 and the SuSE k_deflt kernel that I originally
installed (i586) was built (per rpm -qpi) as follows:

Build Date: Fri 13 Sep 2002 07:27:51 AM PDT

I imagine the i686 kernel was built about the same time,
in fact I would bet it was built:

Fri Sep 13 13:14:56 UTC 2002 !!!!

So, based on the above the machine was still running
the original kernel as shipped with 8.1, and the machine
had not been patched against the ptrace exploit.

* On Tue Dec 02 2003 - 15:42:38 CET (approx) Olivier M.wrote:
>
> Something is still strange: the ptrace exploit appeared
> around March/April 2003, and the fixed (suse-) kernel
> for 8.1 only in August ?

He was rong. SuSE issusd a p-trace kernel fix for k_deflt kernel
last spring (2003). I installed it in my 8.0 box last
May, and in my 8.1 box when I installed 8.1 in July, 2003.

The machine that Oliver was saying was "up to date"
had missed two kernel updates. One in Spring and one in August.

However, the August 5th kernel patch was to fix possible denial
of service attack (DoS) in the routing code as well as
fix bad side effects of initial ptrace security fix ...
http://www.suse.com/de/security/2003_034_kernel.html

So, going back to Dirk's question:

.. so what do we learn about this?

I say we again learn that a responsible sys admin would be subscribed
to both this list [suse-security] and {suse-security-announcements]
as well as running YOU and/or fou4s checks on a regular basis.

But then we all knew that ;)

Friendly greetings,
Gar

--


__________________________________________________________________
McAfee VirusScan Online from the Netscape Network.
Comprehensive protection for your entire computer. Get your free trial today!
http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

Get AOL Instant Messenger 5.1 free of charge. Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455

< Previous Next >
This Thread
  • No further messages