Selva Nair wrote:
> One of my machines running debian woody (up to date with all
> security updates)
> was broken into yesterday. The attacker gained a normal user access possibly by
> cracking a weak password and then managed to get a root shell, install a
> rootkit etc...
>
> Looking through evidence left behind (bash_history etc..) I have
> figured out that
> the privilege escalation was achived using an executable that the
> attacker downloaded
> from the net. I have verified that this binary is indeed capable of
> giving root shell to any user
> and it works on two test systems I tried -- one woody and one redhat 7.2.
>
> I have taken the system off the net and am in the process of
> re-installing but the existence
> of such an easy to use and effective privilege escalation kit is
> quite disturbing. As I have only access to the binary left behind by
> the attacker I'm pretty clueless as to how the exploit works.
> Although pretty well familiar with Linux and have been running servers
> for several years,
> this is the first time facing a root exploit, so I'm rather clueless
> as to what to do.
>
> Any advice would be highly appreciated.
Well to choose one security hole at random out of dozens to hundreds
that remain unfixed in woody's kernels, this one allows anyone to go from
a normal user account to root:
CAN-2005-1263 [Linux kernel ELF core dump privilege escalation]
- kernel-source-2.6.11 2.6.11 2.6.11-4
- kernel-source-2.6.8 2.6.8-16
- kernel-source-2.4.27 2.4.27-10
--
see shy jo
Attachment:
signature.asc
Description: Digital signature