Re: Exploit - what to do
On Wed, Jul 18, 2001 at 03:42:26PM +0200, Jerzy Wolinski wrote:
> I found some local root exploit (source and binary).
> I have run it on some test system. It works on Debian 2.2r2
> >From source I can see that it uses passwd program,
> but I have no knowlegde and no time to search how it
> really works. On debian security alert pages I see
> nothing about passwd.
> What should I do?
Sounds as if it is one of the ptrace() holes in kernels prior to 2.2.19.
It needs an arbitrary setuid binary (passwd is one) to exploit that flaw,
but there are enough...
What to is just to upgrade your kernel. But as your box sounds
compromised, reinstall it along with a kernel.
If you're using linux 2.2.19 please post some more information.
Alexander Reelsen http://joker.rhwd.de
email@example.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB
firstname.lastname@example.org 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C
Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO