Re: ptrace bug: ipsec exploit makes itself suid(0)

To: <debian-security@lists.debian.org>
Subject: Re: ptrace bug: ipsec exploit makes itself suid(0)
From: "David Ramsden" <david@hexstream.eu.org>
Date: Fri, 21 Mar 2003 14:13:01 -0000
Message-id: <[🔎] 000701c2efb3$fb493aa0$010110ac@rancid>
References: <[🔎] 20030320225012.GM1014@nova.vor.em.ca> <[🔎] 20030321025453.GA14943@eurielec.etsit.upm.es> <[🔎] 20030321075236.GJ2768@bumpern.de> <[🔎] 20030321095108.GB14027@westend.com> <20030321101755.GA22476@virus.home> <20030321114513.GA27229@westend.com> <20030321120227.GB22476@virus.home> <[🔎] 20030321131839.GG30463@westend.com>

----- Original Message -----
From: "Christian Hammers" <ch@debian.org>
To: "Jean Christophe ANDRÉ" <jean-christophe.andre@auf.org>
Cc: <debian-security@lists.debian.org>
Sent: Friday, March 21, 2003 1:18 PM
Subject: ptrace bug: ipsec exploit makes itself suid(0)

> Hello
>
[snip]
> >
> > Be carefull about the exploit owner/permission: it dynamically changes
> > its owner/permissions to root.root/ug+s => setugid binary!
>
> Argh, you're right, what a nasty little skript!
>
> I Cc this to the mailing list so that others don't trap into this when
> verifying whether or not their no-ptrace-module.o prevents an explotation
> of the bug.
>
First post to the list!

I'd like to say that I've had no success with the no-ptrace module (NPT)
(still get root and I've made sure the exploit hasn't been more than once,
due to making itself suid(0)).
I'm using Debain 3.0 (Stable) with kernel 2.2.19 (standard Debian install).
The additional printk() I added, to help "spot potential abusers" did log to
/var/log/messages as:
[date/time] host: kernel: ptrace(): uid=0, comm=

But as I've said... it has had no effect in blocking ptrace() as a
workaround for this exploit.

Regards,
David.
--
David Ramsden
http://portal.hexstream.eu.org/

Reply to:

References:
- howcome there's no DSA for the latest Linux ptrace hole?
  - From: "Tom Goulet (UID0)" <uid0@em.ca>
- Re: howcome there's no DSA for the latest Linux ptrace hole?
  - From: Guille -bisho- <bisho@eurielec.etsit.upm.es>
- Re: howcome there's no DSA for the latest Linux ptrace hole?
  - From: Alexander Neumann <alexander@bumpern.de>
- Re: howcome there's no DSA for the latest Linux ptrace hole?
  - From: Christian Hammers <ch@debian.org>
- ptrace bug: ipsec exploit makes itself suid(0)
  - From: Christian Hammers <ch@debian.org>

Prev by Date: Re: howcome there's no DSA for the latest Linux ptrace hole?
Next by Date: Re: [d-security] Re: ptrace bug: ipsec exploit makes itself suid(0)
Previous by thread: ptrace bug: ipsec exploit makes itself suid(0)
Next by thread: Re: [d-security] Re: ptrace bug: ipsec exploit makes itself suid(0)
Index(es):
- Date
- Thread