Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

To: David Barroso <tomac@somoslopeor.com>
Cc: debian-security@lists.debian.org
Subject: Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
From: Ralf Dreibrodt <rd@mesos.de>
Date: Tue, 01 Apr 2003 20:34:58 +0200
Message-id: <[🔎] 3E89DBD2.880CBB3F@mesos.de>
References: <3E883C67.3020807@simicro-internet.mg> <20030331134931.GA7092@mood.ritram.it> <[🔎] 3E89761A.60609@simicro-internet.mg> <[🔎] 20030401133615.GA17185@mood.ritram.it> <[🔎] 20030401133017.GA28537@vnl.com> <[🔎] 20030401165306.GA2958@melina.ds14.agh.edu.pl> <[🔎] 20030401174928.GA16302@moskovskaya>

Hi,

David Barroso wrote:
> 
> * Marcin Owsiany (porridge@debian.org) wrote:
> > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote:
> > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
> > > > In a server enviroment, where there no need to load modules at run-time,
> > > > could be a "usable workaorund", but, in a workstation machine, i don't
> > > > think thats a great idea.
> > >
> > > In a server environment it is preferable not to
> > > compile with modules at all.
> >
> > Why?
> 
> One reason is security:
> it's relatively easy for an intruder to install a kernel module based
> rootkit, and then hide her processes, files or connections.

i have an "old" kernel with modules and didn't updated it, because of the ptrace bug.

this is the reason why:

www1:~# grep CAP_SYS_MODULE /etc/lids/lids.cap
-16:CAP_SYS_MODULE
www1:~# grep CAP_SYS_PTRACE /etc/lids/lids.cap
-19:CAP_SYS_PTRACE

For fun i tried the exploit, it didn't worked, it needs access to /proc.
I gave that user access to /proc and tried it again.
The user got logged out, i got an email.

Regards,
Ralf Dreibrodt

-- 
Mesos            Telefon 49 221 4855798-1
Eupener Str. 150 Fax     49 221 4855798-9
50933 Koeln      Mail    rd@mesos.de

Reply to:

References:
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: DouRiX <dourix-tech@simicro-internet.mg>
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Maurizio Lemmo - Tannoiser <mizio@tenzione.it>
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Dale Amon <amon@vnl.com>
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Marcin Owsiany <porridge@debian.org>
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: David Barroso <tomac@somoslopeor.com>

Prev by Date: Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Next by Date: Re: noboby with a shell !!
Previous by thread: Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Next by thread: Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Index(es):
- Date
- Thread