Re: Backport of the integer overflow in the brk system call

[Andreas Metzler <ametzler@downhill.at.eu.org>]

Tom <tb.31123.nospam@comcast.net> wrote:
> On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:

>> Apparently nobody knew it was comparable to ptrace, it looked like a
>> simple bugfix and not like a local root exploit.

> Well, I just downloaded 2.4.23 from kernel.org and installed it.

You could have simply used the fixed 2.4.18 from security.debian.org.

[...]
> Was this problem a deviation from well-established security practices or 
> is a new thing? 

Afaict no and no.

> Could somebody explain it in a nutshell?

Afaik: 2.4.23 contains literally 100s of changes, one of these was a
small change to do_brk(), which looked like a normal non-critical
bugfix to everybody involved. Some time later Debian was hacked and
backtracing how the intruder got superuser privileges revealed that
that the do_brk() without the "small change" was guilty, it had been
no simple bug but a local privilege escalation issue.

To repeat this: Neither Debian, nor Suse, nor Linux Kernel had known
that there was a local root exploit in Linux Kernel 2.4.x (x<<23)
until Debian was hacked *and* until Robert van der Meulen found out
how the intruder managed to get root privileges on the hacked
machines.

Once the vulnerability was known at least Debian and RedHat (I don't
read e.g. Suse's or Mandrake's security announces) released an
advisory with fixed packages as fast as possible.

Disclaimer: I am no member of the security team and was not involved
in finding or fixing the bug.
                   cu andreas
-- 
Hey, da ist ein Ballonautomat auf der Toilette!
Unofficial _Debian-packages_ of latest unstable _tin_
http://www.logic.univie.ac.at/~ametzler/debian/tin-snapshot/