[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ptrace bug: ipsec exploit makes itself suid(0)



----- Original Message -----
From: "Christian Hammers" <ch@debian.org>
To: "Jean Christophe ANDRÉ" <jean-christophe.andre@auf.org>
Cc: <debian-security@lists.debian.org>
Sent: Friday, March 21, 2003 1:18 PM
Subject: ptrace bug: ipsec exploit makes itself suid(0)


> Hello
>
[snip]
> >
> > Be carefull about the exploit owner/permission: it dynamically changes
> > its owner/permissions to root.root/ug+s => setugid binary!
>
> Argh, you're right, what a nasty little skript!
>
> I Cc this to the mailing list so that others don't trap into this when
> verifying whether or not their no-ptrace-module.o prevents an explotation
> of the bug.
>
First post to the list!

I'd like to say that I've had no success with the no-ptrace module (NPT)
(still get root and I've made sure the exploit hasn't been more than once,
due to making itself suid(0)).
I'm using Debain 3.0 (Stable) with kernel 2.2.19 (standard Debian install).
The additional printk() I added, to help "spot potential abusers" did log to
/var/log/messages as:
[date/time] host: kernel: ptrace(): uid=0, comm=

But as I've said... it has had no effect in blocking ptrace() as a
workaround for this exploit.

Regards,
David.
--
David Ramsden
http://portal.hexstream.eu.org/



Reply to: