[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: =?ISO-8859-15?Q?[HS_?]_Re:_D=E9tails_de_la_compromission_d?= es serveurs Debian.org

In article <XVca.ku.9@gated-at.bofh.it>, tom@ringard.org says...
->Salut à tous,


->Quel programme a été "exploité" ?

Extrait du mail envoyé sur "full-disclosure@lists.netsys.com" 
par "debian-security-announce@lists.debian.org "

Recently multiple servers of the Debian project were compromised 
using a Debian developers account and an unknown root exploit. 
Forensics revealed a burneye encrypted exploit. Robert van der 
Meulen managed to decrypt the binary which revealed a kernel 
exploit. Study of the exploit by the RedHat and SuSE kernel and 
security teams quickly revealed that the exploit used an integer 
overflow in the brk system call. Using this bug it is possible 
for a userland program to trick the kernel into giving access to 
the full kernel address space. This problem was found in 
September by Andrew Morton, but unfortunately that was too late 
for the 2.4.22 kernel release.

This bug has been fixed in kernel version 2.4.23 for the 2.4 
tree and 2.6.0-test6 kernel tree. For Debian it has been fixed 
in version 2.4.18-12 of the kernel source packages, version 
2.4.18-14 of the i386 kernel images and version 2.4.18-11 of the 
alpha kernel images.

Est ce que cet exploit est réalisable en remote ou faut-il avoir 
un compte local sur la machine?


Reply to: