Bug#458251: prctl exploit works on kernel 2.6.18.5
tag 458251 + unreproducible
tag 458251 + moreinfo
thanks
On Sat, Dec 29, 2007 at 10:58:59PM +0200, Lex wrote:
> Package: linux-image
> Version: 2.6.18.5
> Tags: security
>
> Hello.
> I'm running debian etch server. kernel 2.6.18.5, libc6_2.3.6.ds1-13etch2
> updated by aptitude yesterday.
The string '2.6.18.5' doesn't correspond to any Debian kernel
version. See this page for information on how you can find the
appropriate version information:
http://wiki.debian.org/DebianKernelReportingBugs
> Today my server was attacked. Attacker logged in as non privileged
> user "test".(password was brutforced). He used prctl local root exploit
> (code below).
> And it works! file "core" was dumped at folder /etc/cron.d/
> The only happiness is that cron did not run it.
You cannot be sure of this; with root privileges, an attacker could
modify your log to hide a successful attack. Unfortunately, the only
way you can be sure that this attacker no longer retains access is to
reinstall your system from scratch.
> Error in syslog:
> cron[2379]: Error: bad minute; while reading /etc/cron.d/core
> I tried to find out this exploit at google and find that it was affected to
> kernels 2.6.13-2.6.17.4. from kernel 2.6.17.4 it should be fixed. But looks
> like not....
You appear to be referring to CVE-2006-2451 which was fixed in
Debian's 2.6.18 before etch released. I tried the exploit you provided
just to be sure, and it does not succeed on the latest etch kernel
(2.6.18.dfsg.1-17).
--
dann frazier
Reply to: