[rsbac] Local root exploit in 2.4.22 and previous
Thorsten Sauter
tsauter at debian.org
Thu Dec 4 09:52:07 CET 2003
* Amon Ott <rsbac at rsbac.org> [2003-12-04 09:14]:
| On Mittwoch, 3. Dezember 2003 19:05, Fabian Kiendl wrote:
| > > there is a local root exploit present in 2.4 kernels up to 2.4.22. The
| > > following patch agains mm/mmap.c fixes it (offsets are from an RSBAC and
| > > PaX
| > > patched kernel, expect offset warning!):
| >
| > What would have happened if I hadn't installed that patch on an
| > RSBAC-enabled system and someone had tried to exploit it? Would RSBAC have
| offered me any
| > protection against the exploit iself, or would at least have the RC, ACL and
| > FF modules successfully have prevented rootkit installation?
|
| AFAIK, the attack used on the Debian Servers
| 1. Used a local shell (easier to deny with RSBAC, but may be legal)
why the user needs a login account, if he/she can't execute a valid
shell?
| 2. Fetched extra code and the SucKIT rootkit via http (both writing to disk
| and access to remote network endpoints can be denied by RSBAC)
well, this sounds a little bit like "ifconfig eth0 down". I think you
can't do this on a machine for working purpose.
| 3. compiled or downloaded a do_brk exploit program (compiler accessible?)
this exploit only runs on i386? I guess most of us has a i386 machine,
which can compile the code localy. This means removing the compile
doesn't really help here.
| 4. ran the program (execute uncontrolled program)
ok. this sounds good. RC model for all binaries in /bin,/sbin,...
| However, an attacker with good RSBAC knowledge, who came to step 4 or
| exploited a service, might have been able to place a notification call for
| CHANGE_OWNER to 400 through the do_brk bug (repeated for several users with
| separation of duty), disable access control (some work, if no switching or
| softmode allowed, usually produces extra log messages) and then continue.
really hard
| So, please fix your systems or update to 2.4.23 (I just made 2.4.23 support
| official).
of course.
Bye
Thorsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20031204/5d6dedb0/attachment.bin
More information about the rsbac
mailing list