Re: PTRACE Fixed?

[Jon <jon@tgpsolutions.com>]

On Sat, 2003-03-22 at 04:43, Markus Kolb wrote:
> Jon wrote:
> 
> [...]
> 
> >>
> >>Linux kmod + ptrace local root exploit by <anszom@v-lo.krakow.pl>
> >>
> >>=> Simple mode, executing /usr/bin/id > /dev/tty
> >>sizeof(shellcode)=95
> >>=> Child process started..........
> >>=> Child process started..........
> 
> [...]
> >>
> >>Does this mean the patch I downloaded worked?
> > 
> > 
> > Yes.
> > 
> > - Jon
> 
> Mmh, well, I have a non-patched 2.4.19 and so there should be the bug.
> I've tried the k3m, too.
> In my environment it first told me that my kernel is attackable.
> I ran k3m a 2nd and 3rd time and it has only reported the "Child process 
> started..." messages and produced child process zombies.


The exploit may need to start several child proceesses before one of
them obtains root priviledges.  If your kernel is vulnerable, you should
get an "ok!" message after a few attempts (usually works the second or
third time on my 2.4.20-k7 machine).  

When run without arguments, the exploit just starts a process, checks
its priviledges, then kills the processes.  I have not noticed any
zombie processes after running the exploit - even after running it
several times.  If you *do* want it to start some processes, there are
command-line options to do so.  


> What is that? Is k3m buggy? Very strange...
> 

Works great on my machine... unfortunately.  ;)

- Jon