Re: root compromise on debian woody
On 5/27/05, Alexei Chetroi <alexei.chetroi@lexa.uniflux-line.net> wrote:
> On Thu, May 26, 2005 at 09:01:37PM -0400, Selva Nair wrote:
> > Date: Thu, 26 May 2005 21:01:37 -0400
> > From: Selva Nair <selva.nair@gmail.com>
> > Subject: Re: root compromise on debian woody
snip
> >
> > I built a new kernel from 2.4.30 sources and the exploit no more works.
> > Hope this one is safer.
>
> Which kernel you used before on woody? Was it vanilla kernel from
> kernel.org or Debian one? which version? IIRC 2.4.18 is supported by
> security team for woody, so if the exploit works for debian's 2.4.18
> kernel it is bad.
I was running debian 2.4.18-k7. Now I notice that there is another kernel
image available for k7 -- kernel-image-2.4.18-1.k7. Just installed that one and
the exploit doesn't work on it. So was I running an unsafe kernel?
apt-show-versions show
kernel-image-2.4.18-k7/stable uptodate 2.4.18-5
kernel-image-2.4.18-1-k7/stable uptodate 2.4.18-13.1
The timestamp on vmlinuz-2.4.18-k7 is Apr 14 2002 (pretty old) while
the 2.4.18-1-k7
is Apr 14 2004.Why is this 2.4.18-k7 kernel so old and buggy and still
stated to be uptodate?
btw strace on the "bad guy" binary shows it is repeatedly calling brk
with an ever increasing
offset and repeated SIGSEGVs until it succeeds to execve /bin/sh as
root. Possibly
the brk system call integer overflow exploit that was fixed 2 years ago?!
Selva
Reply to: