[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]



----- Original Message -----
From: "Christian Hammers" <ch@debian.org>
To: "Marc Demlenne" <m.demlenne@skynet.be>
Cc: "DouRiX" <dourix-tech@simicro-internet.mg>; "Lutz Kittler"
<Lutz.Kittler@sse-erfurt.de>; <debian-security@lists.debian.org>
Sent: Tuesday, April 01, 2003 2:04 PM
Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and
2.4 kernels]


[snip]
> >
> > What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g.
> >   echo unexisting_binary > /proc/sys/kernel/modprobe
> >
> > Can we trust this solution ?
>
> NO, it does not prevent the exploit.
>
> It does prevent the km3.c example exploit but not e.g.
>   http://isec.pl/cliph/isec-ptrace-kmod-exploit.c
>

I'd have to disagree with you there.
I've done this to one Debian box (3.0 running 2.2.20) and it does stop the
above exploit:

$ echo "/this/doesnt/exist" > /proc/sys/kernel/modprobe
$ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit
$ ./isec-ptrace-kmod-exploit
$ [+] Attached to 18765
(gets stuck here - have to use Ctrl+C)
$


> You have to patch the kernel or load and compile the following module:
>   http://www.securiteam.com/tools/5SP082K5GK.html (no-ptrace-module.c)
>
The above is probably the better solution.
But you can't beat patching the kernel, if it'll work - When are Debian
going to release a DSA on this? :)

I'm running 2.2.19 from when I upgraded from 2.2r2 and can't apt-get the
kernel-source-2.2.19 and same for 2.2.20. Most annoying. I don't want to
upgrade to 2.4.x yet.
If I could get the source for 2.2.19 or 2.2.20 from Debian then I could copy
the configuration file from /boot as .config and then just apply the kernel
patch and "make oldconfig" without having to re-do the config again.
Downloading the source from kernel.org and trying to use the config in /boot
has 'new features' and things.
(I'm not too confident at compiling the kernel and the default Debian one is
fine!).

Regards,
David.
--
David Ramsden
http://portal.hexstream.eu.org/



Reply to: