Really nasty Linux security bug
Scott Doty
scott at sonic.net
Sat Oct 20 12:53:49 PDT 2001
On Fri, Oct 19, 2001 at 11:53:58AM -0700, Dustin Mollo wrote:
> Hey all. For those that doin't read slashdot all that often, check out this
> email over on SecurityFocus.
>
> http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21
>
> ObQuote:
>
> There are two bugs present in Linux kernels 2.2.x, x<=19 and 2.4.y, y<=9.
> The first vulnerability results in local DoS. The second one, involving
> ptrace, can be used to gain root privileges locally (in case of default
> install of most popular distributions). Linux 2.0.x is not vulnerable to the
> ptrace bug mentioned.
Uh, this looks like the ptrace vulnerability reported a couple of months
ago. As we found out, Dustin, 2.0.x is definitely vulnerable, and there
is an active exploit.
We here at Sonic were caught off-guard when the original announcement
didn't mention 2.0.x. Our shell server, Bolt, runs 2.0.39. An intruder
gained root access a couple of months ago using this exploit.
By the way, this was the same intruder that attacked sourceforge.net and
other high-profile sites. His MO was to install a trojaned ssh to gather
passwords to other hosts to exploit. He was arrested about two weeks later,
and a copy of the output of his trojaned ssh from our server was found
on his own computer.
Back then, Dustin found the exploit program and ran it -- sure enough, it gave him
a root shell. (It has to be run multiple times until the race condition
manifests itself.) The solution: if you have to stay with a 2.0.x kernel,
get the 2.0.39 sources, and then apply the openwall patch.
http://www.openwall.com/linux/
I don't know why reports continue to say that 2.0.x isn't vulnerable, but
it is.
-Scott
More information about the talk
mailing list