Re: root compromise on debian woody

[kamaraju kusumanchi <raju.mailinglists@gmail.com>]

Selva Nair wrote:

> Hi michael, raju:
>
> On 5/26/05, michael <linux@networkingnewsletter.org.uk> wrote:
>  
>
> > On Thu, 2005-05-26 at 17:16 -0400, kamaraju kusumanchi wrote:
> >    
> >
> > > Selva Nair wrote:
> > >      
>
>  
>
> > > >  Looking through evidence left behind (bash_history etc..) I have
> > > > figured out that
> > > > the privilege escalation was achived using an executable  that the
> > > > attacker downloaded
> > > >        
> > > >
> > > > from the net. I have verified that this binary is indeed capable of
> > >      
> > >
> > > > giving root shell to any user
> > > > and it works on two test systems I tried -- one woody and one redhat 7.2.
> > > >        
> > oh please send me a binary that promises to compromise my system....
> >
> >    
>
> Sure you can have it! I didn't want to post graphic details nor the binary to
> the list as I only have the binary and no clue.  
>
> You can download the thingy from http://www.geocities.com/eas2lv/temp/
> -- download
> knl.uuencoded.html to disk and uudecode it to get the binary named knl.
>
> I have no idea what all it does other than  opening a root shell, so be careful 
> not to try it on any critical systems.  strace did not show any potentially 
> damaging system calls, but YMMV. 
>
> Please do let me know anything that you find.
>
> Thanks,
>
> Selva
>  
Thanks for sending the file.   I tried it on sid and it is not giving 
any root access for an ordinary user. Guess it is a problem with woody 
or a particular kernel version then.

$ uname -a
Linux deluxe 2.6.9-1-686 #1 Thu Nov 25 03:48:29 EST 2004 i686 GNU/Linux
$ ./knl
[-] Unable to determine kernel address: Operation not supported