On Sun, Oct 04, 2009 at 11:44:52AM -0400, Thomas Krichel wrote:
> > this looks like a standard privilege escalation (not a rootkit). it
> > appears to be using one of the recent null pointer dereference kernel
> > vulnerabilities. your fricka machine is probably running one of the
> > unpatched kernels ('uname -r' will tell you which version you are
> > currently running). chichek is up to date since it is preventing
> > the dereferenced pointer from accessing mmap.
>
> Hmmmm, here is a of machines affected and unaffected, with
> their kernel version
>
> affected
> fricka 2.6.26-2-686
...
The kernel version reported by uname is not enough to determine the
security status of the kernel. The kernel version number only changes
when the kernel ABI changes. Security updates are often applied
without ABI bumps. For example, kernel 2.6.26-2-686 was introduced by
linux 2.6.26-14. However, the current version is 2.6.26-19. Several
securty fixes were introduced in the various releases between those two
versions, yet the version reported by uname was unchanged. You need to
make sure that the machine actually gets rebooted when security updates
are made.
AFAIK, the best way to know if you're running a stale kernel is to
compare the uptime of the machine against the mtime of the actual kernel
(using, e.g. "stat /boot/vmlinuz-2.6.26-2-686"). If the uptime of the
machine places the last reboot sometime before the kernel was updated,
you're not up to date. If there's a better way to test this, I'd love
to know about it.
noah
Attachment:
signature.asc
Description: Digital signature