Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

To: <debian-security@lists.debian.org>
Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
From: "David Ramsden" <david@hexstream.eu.org>
Date: Tue, 1 Apr 2003 17:46:46 +0100
Message-id: <[🔎] 009c01c2f86e$48c2c450$010110ac@rancid>
References: <3E883C67.3020807@simicro-internet.mg> <20030331134931.GA7092@mood.ritram.it> <[🔎] 3E89761A.60609@simicro-internet.mg> <[🔎] 20030401120612.GA555@marcelle.homelinux.org> <[🔎] 20030401130428.GA12640@westend.com> <[🔎] 004501c2f854$4b718f70$010110ac@rancid> <[🔎] 20030401154838.GC6671@westend.com>

----- Original Message -----
From: "Christian Hammers" <ch@debian.org>
To: "David Ramsden" <david@hexstream.eu.org>
Cc: <debian-security@lists.debian.org>
Sent: Tuesday, April 01, 2003 4:48 PM
Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace
vulnerability in 2.2 and 2.4 kernels]

[snip]
>
> Can it be that you had loaded no-ptrace-module.o or someone patched your
> kernel? See:
>
[snip]

It's the 2.2.20 kernel from Debian (did an apt-get install of the .deb
kernel-image package).
I then did: echo '/this/doesnt/exist' > /proc/sys/kernel/modprobe
And tried what you did Christian. See below:

$ uname -r
2.2.20
$ gcc ptrace-kmod.c -o ptrace-kmod
$ ls -al ptrace-kmod*
-rwxr-xr-x    1 scarlet  scarlet      9028 Apr  1 17:40 ptrace-kmod
-rw-r--r--    1 scarlet  scarlet      3736 Apr  1 17:37 ptrace-kmod.c
$ id
uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet)
$ ./ptrace-kmod
[-] Unable to attach: Operation not permitted
Killed
$ ./ptrace-kmod

$ ./ptrace-kmod
[+] Attached to 25763

$ ./ptrace-kmod
[+] Attached to 25770

$ id
uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet)
$ cat /proc/sys/kernel/modprobe
/this/doesnt/exist
$

I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't
been patched.
I can "echo '/sbin/modprobe' > /proc/sys/kernel/modprobe" and try the above
and I'll get a root prompt first time.

Maybe it doesn't work for the 2.4.x kernel series?
Can anyone else try this maybe and report back :-)

Cheers.
David.

Reply to:

Follow-Ups:
- Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Christian Hammers <ch@debian.org>

References:
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: DouRiX <dourix-tech@simicro-internet.mg>
- Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Marc Demlenne <m.demlenne@skynet.be>
- Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Christian Hammers <ch@debian.org>
- Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: "David Ramsden" <david@hexstream.eu.org>
- Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
  - From: Christian Hammers <ch@debian.org>

Prev by Date: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Next by Date: Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Previous by thread: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Next by thread: Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Index(es):
- Date
- Thread