[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#458251: prctl exploit works on kernel 2.6.18.5

tag 458251 + unreproducible
tag 458251 + moreinfo
thanks

On Sat, Dec 29, 2007 at 10:58:59PM +0200, Lex wrote:
> Package: linux-image
> Version: 2.6.18.5
> Tags: security
> 
> Hello.
> I'm running debian etch server. kernel 2.6.18.5, libc6_2.3.6.ds1-13etch2
> updated by aptitude yesterday.

The string '2.6.18.5' doesn't correspond to any Debian kernel
version. See this page for information on how you can find the
appropriate version information:
  http://wiki.debian.org/DebianKernelReportingBugs

> Today my server was attacked.  Attacker logged in as non privileged 
> user "test".(password was brutforced).  He used prctl local root exploit 
> (code below). 
> And it works! file "core" was dumped at folder /etc/cron.d/
> The only happiness is that cron did not run it.

You cannot be sure of this; with root privileges, an attacker could
modify your log to hide a successful attack. Unfortunately, the only
way you can be sure that this attacker no longer retains access is to
reinstall your system from scratch.

> Error in syslog:
> cron[2379]: Error: bad minute; while reading /etc/cron.d/core
> I tried to find out this exploit at google and find that it was affected to 
> kernels 2.6.13-2.6.17.4. from kernel 2.6.17.4 it should be fixed. But looks 
> like not....

You appear to be referring to CVE-2006-2451 which was fixed in
Debian's 2.6.18 before etch released. I tried the exploit you provided
just to be sure, and it does not succeed on the latest etch kernel
(2.6.18.dfsg.1-17).

-- 
dann frazier
Reply to: