En Tue Mar 18, 2003 at 11:57:25PM +0100, Juraj Bednar <[EMAIL PROTECTED]> escribio: > Hi, > > > while waiting for kernel compilations from Debian (and while waiting > for my kernel compilations to finish), I coded a single module, > which acts as a workaround for one particular exploit I found in one > user's homedirectory. > > Disclaimer: > > 1.) I don't guarantee, that it will protect you from other > exploits (it won't). > > 2.) I guarantee, it won't break anything (actually it will break > some occassional ptrace situations, but for simple gdb and stuff, > this is ok). > > 3.) I don't guarantee it will work. It may freeze your machine. > YMMV. > > 4.) I'm not a linux kernel module coder. If you'll come with > something better, drop me a note. > > 5.) Against this exploit, simple chmod 700 /proc would suffice > (since it wants to open /proc/self/exe). This is somehow cleaner.
Hi Juraj, that exploit that you mention about is publicly available on a very well known site (hack.co.za). So, full-disclosure readers may want to take a look at it. >From my point of view protecting the /proc will do nothing, you can rewrite that exploit without reading proc in a matter of seconds, it reads it only for the sake of obtaining the complete path of the exploit cause its shellcode payload will do a chown & chmod afterwards on it. In the linux-kernel list there was a post on this subject on monday it also displays an alternative patch for 2.4.20 / 21pre: http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html > > 6.) It should unload correctly, if it won't freeze your system > (see point 3:). > > Anyways, as a simple workaround, it works for me, so I thought I'll > post it, it may help you overcome this ugly time. > > Compilation instruction in source comment. > > > J. > > > > -- > Juraj Bednar > http://www.jurajbednar.com/ > http://juraj.bednar.sk/ Best regards, -- Jose Carlos Luna Duran @ UJI [EMAIL PROTECTED] / [EMAIL PROTECTED] Office Tel. +41 22 76 71880 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
