Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

To: David Ramsden <david@hexstream.eu.org>
Cc: debian-security@lists.debian.org
Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
From: Christian Hammers <ch@debian.org>
Date: Tue, 1 Apr 2003 17:48:38 +0200
Message-id: <[🔎] 20030401154838.GC6671@westend.com>
Mail-followup-to: Christian Hammers <ch@debian.org>, David Ramsden <david@hexstream.eu.org>, debian-security@lists.debian.org
In-reply-to: <[🔎] 004501c2f854$4b718f70$010110ac@rancid>
References: <3E883C67.3020807@simicro-internet.mg> <20030331134931.GA7092@mood.ritram.it> <[🔎] 3E89761A.60609@simicro-internet.mg> <[🔎] 20030401120612.GA555@marcelle.homelinux.org> <[🔎] 20030401130428.GA12640@westend.com> <[🔎] 004501c2f854$4b718f70$010110ac@rancid>

On Tue, Apr 01, 2003 at 02:40:44PM +0100, David Ramsden wrote:
> > >   echo unexisting_binary > /proc/sys/kernel/modprobe
> > > Can we trust this solution ?
> > NO, it does not prevent the exploit.
> >
> > It does prevent the km3.c example exploit but not e.g.
> >   http://isec.pl/cliph/isec-ptrace-kmod-exploit.c
> 
> I'd have to disagree with you there.
> I've done this to one Debian box (3.0 running 2.2.20) and it does stop the
> above exploit:
> 
> $ echo "/this/doesnt/exist" > /proc/sys/kernel/modprobe
> $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit
> $ ./isec-ptrace-kmod-exploit
> $ [+] Attached to 18765
> (gets stuck here - have to use Ctrl+C)
> $

Can it be that you had loaded no-ptrace-module.o or someone patched your 
kernel? See:

$ uname -r
2.4.19
$ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit
In file included from /usr/include/asm/user.h:5,
                 from /usr/include/linux/user.h:1,
                 from isec-ptrace-kmod-exploit.c:37:
/usr/include/linux/ptrace.h:22: warning: `PTRACE_SYSCALL' redefined
/usr/include/sys/ptrace.h:103: warning: this is the location of the
previous definition

(it's a very old machine, workes fine on others)

$ id
uid=1001(ch) gid=1005(ch) groups=1005(ch)

$ ls -al isec-ptrace-kmod-exploit*
-rwxr-xr-x    1 ch       ch           8964 Apr  1 17:46 isec-ptrace-kmod-exploit
-rw-r--r--    1 ch       ch           3737 Apr  1 17:45 isec-ptrace-kmod-exploit.c

$ ./isec-ptrace-kmod-exploit 
[+] Attached to 4660
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4000ecb4
[+] Now wait for suid shell...
sh-2.03# exit
exit

Q.E.D. :-)

bye,

  -christian-

-- 
"That's one small step for man, one giant leap for mankind"
        - first words of a human on the moon, Neil Armstrong 1969
"Let's get this motherfucker out of here!"
        - last words of a human on the moon, Eugene Cernan 1972

Reply to:

Follow-Ups:
- Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: "David Ramsden" <david@hexstream.eu.org>

References:
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: DouRiX <dourix-tech@simicro-internet.mg>
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Marc Demlenne <m.demlenne@skynet.be>
- Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Christian Hammers <ch@debian.org>
- Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: "David Ramsden" <david@hexstream.eu.org>

Prev by Date: Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Next by Date: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Previous by thread: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Next by thread: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Index(es):
- Date
- Thread