[rsbac] Local root exploit in 2.4.22 and previous

Thorsten Sauter tsauter at debian.org
Thu Dec 4 09:52:07 CET 2003 

* Amon Ott <rsbac at rsbac.org> [2003-12-04 09:14]:
| On Mittwoch, 3. Dezember 2003 19:05, Fabian Kiendl wrote:
| > > there is a local root exploit present in 2.4 kernels up to 2.4.22. The 
| > > following patch agains mm/mmap.c fixes it (offsets are from an RSBAC and
| > > PaX 
| > > patched kernel, expect offset warning!):
| > 
| > What would have happened if I hadn't installed that patch on an
| > RSBAC-enabled system and someone had tried to exploit it? Would RSBAC have 
| offered me any
| > protection against the exploit iself, or would at least have the RC, ACL and
| > FF modules successfully have prevented rootkit installation?
| 
| AFAIK, the attack used on the Debian Servers
| 1. Used a local shell (easier to deny with RSBAC, but may be legal)

why the user needs a login account, if he/she can't execute a valid
shell?

| 2. Fetched extra code and the SucKIT rootkit via http (both writing to disk 
| and access to remote network endpoints can be denied by RSBAC)

well, this sounds a little bit like "ifconfig eth0 down". I think you
can't do this on a machine for working purpose.

| 3. compiled or downloaded a do_brk exploit program (compiler accessible?)

this exploit only runs on i386? I guess most of us has a i386 machine,
which can compile the code localy. This means removing the compile
doesn't really help here.

| 4. ran the program (execute uncontrolled program)

ok. this sounds good. RC model for all binaries in /bin,/sbin,...

| However, an attacker with good RSBAC knowledge, who came to step 4 or 
| exploited a service, might have been able to place a notification call for 
| CHANGE_OWNER to 400 through the do_brk bug (repeated for several users with 
| separation of duty), disable access control (some work, if no switching or 
| softmode allowed, usually produces extra log messages) and then continue.

really hard

| So, please fix your systems or update to 2.4.23 (I just made 2.4.23 support 
| official).

of course.

Bye
Thorsten

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20031204/5d6dedb0/attachment.bin

More information about the rsbac mailing list