Re: root compromise on debian woody
Hi Kevin, Forgive me for not ansering sooner... On Sat, 28 May 2005, Kevin Mark wrote: Chuck Hi Chuck, Any time someone mentions 'speakup', it peeks my interest to know how linux is advancing towards better support for people with vision difficulties. Have you ever made a comparison between support in the OS's you have used? Do you have any articles documenting your experiences? I am working with a group trying to bring Free software to youth and while we have had supported student who speak non-english languages -- chinese, we have not had anyone with vision difficulties. It would be helpful to have someone who is using Debian comment upon this as that is what we use. Thanks for your time and consideration, Kev Here is a not-so-current background piece: http://www.hhs48.com/why_linux.html You can also get more current info at www.linux-speakup.org Many distributions now come with speakup-modified kernels permitting eyes free installation and operation. There are other access solutions besides speakup, but those require that you have a running system before starting the speech access solution. Speakup is a set of kernel patches that allows the console to talk from startup to shutdown. Once a system is running you can switch it to using software speech, but a hardware synthesizer is required normally. Speakup does not support GUI access, although both the gnome folks and the KDE folks are working on access solutions (very slowly). Speakup was developed by blind folks mostly, so the developers have a stake in its performance. I have only used Slackware and Debian myself, and there is nothing in either distro that bears on the effectiveness of speakup. It works great in both. I prefer Debian for reasons unrelated to access. (as presumably you do, too smile) Chuck -- The Moon is Waxing Crescent (6% of Full) But you can still get downloads from http://www.mhcable.com/~chuckh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Thu, Jun 09, 2005 at 04:50:21AM -0400, Charles Hallenbeck wrote: Hi Kevin, Forgive me for not ansering sooner... snip Here is a not-so-current background piece: http://www.hhs48.com/why_linux.html You can also get more current info at www.linux-speakup.org Many distributions now come with speakup-modified kernels permitting eyes free installation and operation. There are other access solutions besides speakup, but those require that you have a running system before starting the speech access solution. Speakup is a set of kernel patches that allows the console to talk from startup to shutdown. Once a system is running you can switch it to using software speech, but a hardware synthesizer is required normally. Speakup does not support GUI access, although both the gnome folks and the KDE folks are working on access solutions (very slowly). Speakup was developed by blind folks mostly, so the developers have a stake in its performance. I have only used Slackware and Debian myself, and there is nothing in either distro that bears on the effectiveness of speakup. It works great in both. I prefer Debian for reasons unrelated to access. (as presumably you do, too smile) Chuck Hi Chuck, thanks for the replay. I will check out the link! I guess it is obvious why we choose Debian: the cool red swirl logo! Well, at least I did! wink cheers, Kev -- counter.li.org #238656 -- goto counter.li.org and be counted! `$' $' $ $ _ ,d$$$g$ ,d$$$b. $,d$$$b`$' g$b $,d$$b ,$P' `$ ,$P' `Y$ $$' `$ $ ' `$ $$' `$ $$ $ $$g$ $ $ $ ,$P $ $$ `$g. ,$$ `$$._ _. $ _,g$P $ `$b. ,$$ $$ `Y$$P'$. `YP $$$P' ,$. `Y$$P'$ $. ,$. signature.asc Description: Digital signature
Re: root compromise on debian woody
On Sat, May 28, 2005 at 01:39:54PM -0400, Selva Nair wrote: Date: Sat, 28 May 2005 13:39:54 -0400 From: Selva Nair [EMAIL PROTECTED] Subject: Re: root compromise on debian woody [snip] I was running debian 2.4.18-k7. Now I notice that there is another kernel image available for k7 -- kernel-image-2.4.18-1.k7. Just installed that one and the exploit doesn't work on it. So was I running an unsafe kernel? http://packages.debian.org shows kernel-image-2.4.18-1-k7 as [security]. Updates from security team went to that package, not to 2.4.18-k7. I don't know really how Debian's kernel versioning works, but IIRC in Sarge there was kernel-image-2.4.27-1-686 and now there's kernel-image-2.4.27-2-686 apt-show-versions show kernel-image-2.4.18-k7/stable uptodate 2.4.18-5 kernel-image-2.4.18-1-k7/stable uptodate 2.4.18-13.1 The timestamp on vmlinuz-2.4.18-k7 is Apr 14 2002 (pretty old) while the 2.4.18-1-k7 is Apr 14 2004.Why is this 2.4.18-k7 kernel so old and buggy and still stated to be uptodate? It is up-to-date in terms of package versions, so there're no newer kernel-image-2.4.18-k7 packages. [snip] Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Fri, May 27, 2005 at 05:59:08AM -0400, Charles Hallenbeck wrote: I am a newbie to Debian, a Slackware convert, but not a newbie otherwise. I compile my own kernels since I use a set of kernel patches to support speech synthesizer to the console, called speakup. A precompiled kernel for 2.4.27 package got me started with an installation disk, but I quickly got me a 2.6.11 source package, patched it for speech access, installed it on Sarge, and then went on a binge adding stuff to my system, like a kid in a candy store. I recently read the FAQ by the guy at Cornell (forgive me for not looking up your name) and was persuaded that it made sense for me to move on over to unstable rather than following Sarge to stable or staying with testing, and as I posted here, that upgrade went smooth as silk. But now I see I have put myself beyond the reach of the Debian security team, without a graceful way to go back. Oh well. I will just have to live on the edge and keep an eye out for problems. (okay, an ear!) Chuck Hi Chuck, Any time someone mentions 'speakup', it peeks my interest to know how linux is advancing towards better support for people with vision difficulties. Have you ever made a comparison between support in the OS's you have used? Do you have any articles documenting your experiences? I am working with a group trying to bring Free software to youth and while we have had supported student who speak non-english languages -- chinese, we have not had anyone with vision difficulties. It would be helpful to have someone who is using Debian comment upon this as that is what we use. Thanks for your time and consideration, Kev -- counter.li.org #238656 -- goto counter.li.org and be counted! `$' $' $ $ _ ,d$$$g$ ,d$$$b. $,d$$$b`$' g$b $,d$$b ,$P' `$ ,$P' `Y$ $$' `$ $ ' `$ $$' `$ $$ $ $$g$ $ $ $ ,$P $ $$ `$g. ,$$ `$$._ _. $ _,g$P $ `$b. ,$$ $$ `Y$$P'$. `YP $$$P' ,$. `Y$$P'$ $. ,$. signature.asc Description: Digital signature
Re: root compromise on debian woody
On 5/27/05, Alexei Chetroi [EMAIL PROTECTED] wrote: On Thu, May 26, 2005 at 09:01:37PM -0400, Selva Nair wrote: Date: Thu, 26 May 2005 21:01:37 -0400 From: Selva Nair [EMAIL PROTECTED] Subject: Re: root compromise on debian woody snip I built a new kernel from 2.4.30 sources and the exploit no more works. Hope this one is safer. Which kernel you used before on woody? Was it vanilla kernel from kernel.org or Debian one? which version? IIRC 2.4.18 is supported by security team for woody, so if the exploit works for debian's 2.4.18 kernel it is bad. I was running debian 2.4.18-k7. Now I notice that there is another kernel image available for k7 -- kernel-image-2.4.18-1.k7. Just installed that one and the exploit doesn't work on it. So was I running an unsafe kernel? apt-show-versions show kernel-image-2.4.18-k7/stable uptodate 2.4.18-5 kernel-image-2.4.18-1-k7/stable uptodate 2.4.18-13.1 The timestamp on vmlinuz-2.4.18-k7 is Apr 14 2002 (pretty old) while the 2.4.18-1-k7 is Apr 14 2004.Why is this 2.4.18-k7 kernel so old and buggy and still stated to be uptodate? btw strace on the bad guy binary shows it is repeatedly calling brk with an ever increasing offset and repeated SIGSEGVs until it succeeds to execve /bin/sh as root. Possibly the brk system call integer overflow exploit that was fixed 2 years ago?! Selva
Re: root compromise on debian woody
On Thu, May 26, 2005 at 09:01:37PM -0400, Selva Nair wrote: Date: Thu, 26 May 2005 21:01:37 -0400 From: Selva Nair [EMAIL PROTECTED] Subject: Re: root compromise on debian woody On 5/26/05, Joey Hess [EMAIL PROTECTED] wrote: Selva Nair wrote: [snip] Well to choose one security hole at random out of dozens to hundreds that remain unfixed in woody's kernels, this one allows anyone to go from a normal user account to root: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 I built a new kernel from 2.4.30 sources and the exploit no more works. Hope this one is safer. Which kernel you used before on woody? Was it vanilla kernel from kernel.org or Debian one? which version? IIRC 2.4.18 is supported by security team for woody, so if the exploit works for debian's 2.4.18 kernel it is bad. Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
kamaraju kusumanchi wrote: Thanks for sending the file. I tried it on sid and it is not giving any root access for an ordinary user. Guess it is a problem with woody or a particular kernel version then. Strace it - what is it trying to do? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
I am a newbie to Debian, a Slackware convert, but not a newbie otherwise. I compile my own kernels since I use a set of kernel patches to support speech synthesizer to the console, called speakup. A precompiled kernel for 2.4.27 package got me started with an installation disk, but I quickly got me a 2.6.11 source package, patched it for speech access, installed it on Sarge, and then went on a binge adding stuff to my system, like a kid in a candy store. I recently read the FAQ by the guy at Cornell (forgive me for not looking up your name) and was persuaded that it made sense for me to move on over to unstable rather than following Sarge to stable or staying with testing, and as I posted here, that upgrade went smooth as silk. But now I see I have put myself beyond the reach of the Debian security team, without a graceful way to go back. Oh well. I will just have to live on the edge and keep an eye out for problems. (okay, an ear!) Chuck On Fri, 27 May 2005, Robert Vangel wrote: Roberto C. Sanchez wrote: As long as you make a concious decision to do this. Unfortunately, many people go out and grab some package from the upstream site and then think that the security updates will roll in along with all the other apt-get stuff. They won't, but then you understand that. Personally, I roll my own kernel, but I choose the Debian kernel-source-* packages for that. Then I don't need to remember to personally keep such close track of the security vulnerabilities. I still track them, but I realize that when fixes become available, I will see them in the new kernel-source packages that come down. -Roberto I had considered doing this, but decided there are still things in the kernel-source package that I am just not ever going to need and I would rather include *just* those that I require. Btw, I use this procedure on machines like servers where I really need to make sure I know what's going on with them. On my desktop I just use Ubuntu's packages. -- The Moon is Waning Gibbous (83% of Full) But you can still get downloads from http://www.mhcable.com/~chuckh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Fri, 27 May 2005, Charles Hallenbeck wrote: Oh well. I will just have to live on the edge and keep an eye out for problems. (okay, an ear!) and keep a free finger floating around too :-) always best to be on the leading edge with new problems than to be on the trailing edge with known problems that has already been fixed ?? c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Thu, May 26, 2005 at 07:55:50PM -0700, Alvin Oga wrote: On Thu, 26 May 2005, Roberto C. Sanchez wrote: On Thu, May 26, 2005 at 06:41:18PM -0700, Alvin Oga wrote: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 always use the latest kernel ... from kernel.org ... and similarly with other important binaries from their respective originating site mta, apache, kernel, glib, make/gcc, bash, endless list Sorry, but that is horrible advice. For every app you get directly from upstream, you become directly responsible for supporting security issues. I understand that even if you use the Debian packages, you are still ultimately responsible. Not only that, but the Debian Security Team does an excellent job given the resources and situation. Woody has versions of software that were no longer support upstream when Woody shipped. That makes security support really difficult, but that doesn't mean that someone should run out and install everything from source. That sort of defeatst the purpose of a distro. sounds like all the same identical arguments can also be used for using the originating sources instead of *.deb and the lag time between patches is up to the debian security team or *you/me* ... ones preferences to depend on *.debs should NOT make it better or worst than using *.tgz files released from the original sources i prefer to have tighter and finer controls than depend on old packages I agree. None of the packages in Woody are up to date unless you count up-to-dateness as within five years of the last released version. I can tolerate the Debian environment, but when they can't decide whether or not to actually release Sarge, and keep touting Woody as stable when even a fully-updated Woody still has a crappy kernel* ... I start thinking about de-racking my server, backing it up, and going BSD. *: Linux LOVES to swap. I swap all the time on my 1.8ghz Athlon XP with 1GB ram. However, my NetBSD machine with the same amount of ram running at the same frequency NEVER swaps, due to the ability to tune the VM, and the better VM (UVM) in general. The NetBSD server almost always has at least twice if not three times as much going on (+ KDE3.4) than the Linux machine. Yet still never swaps or lags. Wish I could say that for Debian Woody, but I can't. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Fri, 27 May 2005, Roberto C. Sanchez wrote: Chuck, Please be sure and don't top post. It is considered bad list ettiquette :-) Sorry. My bad etiquette was not deleting the prior pieces of the thred. If you are running a regular desktop, chances are that: 1) You are behond a firewall/router of some sort. 2) You are not really using it in a mutliuser environment (i.e., giving out accounts to random people you don't know). 3) Are able to inconvenience yourself/your limited users (e.g., family) if necessary. Exactly my circumstances. The people that really need to worry are those that are trying to run a weg hosting business with Sid servers. There you would need a fill time person to stay on top of security updates. However, with Sid it is not usually so bad since the maintainers usually upload the security updates in a fairly reasonable time frame. -Roberto I appreciate your comments. Chuck -- The Moon is Waning Gibbous (82% of Full) But you can still get downloads from http://www.mhcable.com/~chuckh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Fri, May 27, 2005 at 05:59:08AM -0400, Charles Hallenbeck wrote: I am a newbie to Debian, a Slackware convert, but not a newbie otherwise. I compile my own kernels since I use a set of kernel patches to support speech synthesizer to the console, called speakup. A precompiled kernel for 2.4.27 package got me started with an installation disk, but I quickly got me a 2.6.11 source package, patched it for speech access, installed it on Sarge, and then went on a binge adding stuff to my system, like a kid in a candy store. I recently read the FAQ by the guy at Cornell (forgive me for not looking up your name) and was persuaded that it made sense for me to move on over to unstable rather than following Sarge to stable or staying with testing, and as I posted here, that upgrade went smooth as silk. But now I see I have put myself beyond the reach of the Debian security team, without a graceful way to go back. Oh well. I will just have to live on the edge and keep an eye out for problems. (okay, an ear!) Chuck, Please be sure and don't top post. It is considered bad list ettiquette :-) If you are running a regular desktop, chances are that: 1) You are behond a firewall/router of some sort. 2) You are not really using it in a mutliuser environment (i.e., giving out accounts to random people you don't know). 3) Are able to inconvenience yourself/your limited users (e.g., family) if necessary. The people that really need to worry are those that are trying to run a weg hosting business with Sid servers. There you would need a fill time person to stay on top of security updates. However, with Sid it is not usually so bad since the maintainers usually upload the security updates in a fairly reasonable time frame. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpMUAgAFB6HQ.pgp Description: PGP signature
Re: root compromise on debian woody
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joey Hess said: Well to choose one security hole at random out of dozens to hundreds that remain unfixed in woody's kernels, this one allows anyone to go from a normal user account to root: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 I'm a little confused on this. First, I don't see that 2.6.x or 2.4.27 is available in woody - at least from the debian.org packages page for woody. Also, are we saying that the stable (woody) debian is full of security holes? Aren't kernel 'sploits fixed in security updates. I may just not be reading correctly. - -- /phil -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFClxIFGbd/rBLcaFwRAuN+AKCN4FrE8CTcwuRrEanQI/6SrPQxiwCgli5P x/G/bDYUVPRYsUg5Ki64kOY= =cO5P -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Fri, May 27, 2005 at 07:00:56AM -0400, Sean Davis wrote: *: Linux LOVES to swap. I swap all the time on my 1.8ghz Athlon XP with 1GB ram. However, my NetBSD machine with the same amount of ram running at the same frequency NEVER swaps, due to the ability to tune the VM, and the better VM (UVM) in general. The NetBSD server almost always has at least twice if not three times as much going on (+ KDE3.4) than the Linux machine. Yet still never swaps or lags. Wish I could say that for Debian Woody, but I can't. Linux swaps aggressively, even when unnecessary in the short term on purpose, so RAM containing the swapped data or executable is available if a new task arises. If the swapped stuff is called for, it's used from RAM and no time is lost. -- Carl Fink [EMAIL PROTECTED] If you attempt to fix something that isn't broken, it will be. -Bruce Tognazzini -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
Sean Davis wrote: I can tolerate the Debian environment, but when they can't decide whether or not to actually release Sarge Well the RC bug count is still 0, but it has dropped nearly 2/3 since the last BTS, from ~90 to ~30. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Fri, May 27, 2005 at 10:43:11AM -0400, Carl Fink wrote: On Fri, May 27, 2005 at 07:00:56AM -0400, Sean Davis wrote: *: Linux LOVES to swap. I swap all the time on my 1.8ghz Athlon XP with 1GB ram. However, my NetBSD machine with the same amount of ram running at the same frequency NEVER swaps, due to the ability to tune the VM, and the better VM (UVM) in general. The NetBSD server almost always has at least twice if not three times as much going on (+ KDE3.4) than the Linux machine. Yet still never swaps or lags. Wish I could say that for Debian Woody, but I can't. Linux swaps aggressively, even when unnecessary in the short term on purpose, so RAM containing the swapped data or executable is available if a new task arises. If the swapped stuff is called for, it's used from RAM and no time is lost. no time is lost... you have infinite-transfer-speed zero-latency drives, or what? I can't be the only one who's noticed that when machines start swapping, they start getting slower. Or the only one to connect the two, for that matter. If there is enough RAM for the current workload, there is no reason to swap. Period. Swapping when it's not needed is a ridiculous waste of CPU time and disk I/O. If I understand your argument correctly, an accurate analogy would be leaving your car running 24/7 just so that you don't have to start it the next time you want to drive somewhere. Would you do that? no. -Sean -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
Incoming from Sean Davis: disk I/O. If I understand your argument correctly, an accurate analogy would be leaving your car running 24/7 just so that you don't have to start it the next time you want to drive somewhere. Would you do that? no. I'm not sure how relevant it is, but this is how many electronic devices work these days. They're always drawing power, whether on or off, so that they may be called instant on. Granted, electricity is quite a bit less expensive than gasoline. For a server performing background tasks that aren't time critical, swap makes lots of sense. For a personal system with a human being (who can only afford to waste limited amounts of time) sitting in front of it, swap is at best a safety feature. If the latter's swapping, he needs more RAM. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
Phil Dyer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joey Hess said: Well to choose one security hole at random out of dozens to hundreds that remain unfixed in woody's kernels, this one allows anyone to go from a normal user account to root: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 I'm a little confused on this. First, I don't see that 2.6.x or 2.4.27 is available in woody - at least from the debian.org packages page for woody. The listed kernel versions are for the debian kernel packages in unstable (but targeted at sarge) that fix the particular hole I used as an example. -- see shy jo signature.asc Description: Digital signature
Re: root compromise on debian woody
On Friday May 27 2005 9:50 am, Sean Davis wrote: On Fri, May 27, 2005 at 10:43:11AM -0400, Carl Fink wrote: On Fri, May 27, 2005 at 07:00:56AM -0400, Sean Davis wrote: *: Linux LOVES to swap. I swap all the time on my 1.8ghz Athlon XP with 1GB ram. However, my NetBSD machine with the same amount of ram running at the same frequency NEVER swaps, due to the ability to tune the VM, and the better VM (UVM) in general. The NetBSD server almost always has at least twice if not three times as much going on (+ KDE3.4) than the Linux machine. Yet still never swaps or lags. Wish I could say that for Debian Woody, but I can't. Linux swaps aggressively, even when unnecessary in the short term on purpose, so RAM containing the swapped data or executable is available if a new task arises. If the swapped stuff is called for, it's used from RAM and no time is lost. no time is lost... you have infinite-transfer-speed zero-latency drives, or what? I can't be the only one who's noticed that when machines start swapping, they start getting slower. Or the only one to connect the two, for that matter. He's talking about the swap *out* there. Swapping in is where you see the slowdown. Linux tries to swap out as pre-emptively and aggressively as possible so if you need more cache or a program needs more space in-core. If there is enough RAM for the current workload, there is no reason to swap. Period. Swapping when it's not needed is a ridiculous waste of CPU time and disk I/O. If I understand your argument correctly, an accurate analogy would be leaving your car running 24/7 just so that you don't have to start it the next time you want to drive somewhere. Would you do that? no. I would leave it on 24/7 if it were an easy to physically secure, 12vDC device with a relatively constant power supply. You know, like a hard drive? 8:o) Mechanical devices of any type *DO NOT* like to start moving from a standstill, it's one of the most physically stressfull things a machine can do. -- Paul Johnson Email and Instant Messenger (Jabber): [EMAIL PROTECTED] http://ursine.ca/~baloo/ pgpY9oPSS6qeG.pgp Description: PGP signature
root compromise on debian woody
Hi all, One of my machines running debian woody (up to date with all security updates) was broken into yesterday. The attacker gained a normal user access possibly by cracking a weak password and then managed to get a root shell, install a rootkit etc... Looking through evidence left behind (bash_history etc..) I have figured out that the privilege escalation was achived using an executable that the attacker downloaded from the net. I have verified that this binary is indeed capable of giving root shell to any user and it works on two test systems I tried -- one woody and one redhat 7.2. I have taken the system off the net and am in the process of re-installing but the existence of such an easy to use and effective privilege escalation kit is quite disturbing. As I have only access to the binary left behind by the attacker I'm pretty clueless as to how the exploit works. Although pretty well familiar with Linux and have been running servers for several years, this is the first time facing a root exploit, so I'm rather clueless as to what to do. Any advice would be highly appreciated. Thanks, Selva Nair
Re: root compromise on debian woody
Selva Nair wrote: Hi all, One of my machines running debian woody (up to date with all security updates) was broken into yesterday. The attacker gained a normal user access possibly by cracking a weak password and then managed to get a root shell, install a rootkit etc... Looking through evidence left behind (bash_history etc..) I have figured out that the privilege escalation was achived using an executable that the attacker downloaded from the net. I have verified that this binary is indeed capable of giving root shell to any user and it works on two test systems I tried -- one woody and one redhat 7.2. Could you please give the link to this binary? I run couple of debian machines and am quite intimidated by your email. I want to cross check what you have been proposing. If the problem is reproducible, then I guess the security team would be happy to give us a security-update. raju -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Thu, 2005-05-26 at 17:16 -0400, kamaraju kusumanchi wrote: Selva Nair wrote: Hi all, One of my machines running debian woody (up to date with all security updates) was broken into yesterday. The attacker gained a normal user access possibly by cracking a weak password and then managed to get a root shell, install a rootkit etc... Looking through evidence left behind (bash_history etc..) I have figured out that the privilege escalation was achived using an executable that the attacker downloaded from the net. I have verified that this binary is indeed capable of giving root shell to any user and it works on two test systems I tried -- one woody and one redhat 7.2. oh please send me a binary that promises to compromise my system cough -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
Selva Nair wrote: One of my machines running debian woody (up to date with all security updates) was broken into yesterday. The attacker gained a normal user access possibly by cracking a weak password and then managed to get a root shell, install a rootkit etc... Looking through evidence left behind (bash_history etc..) I have figured out that the privilege escalation was achived using an executable that the attacker downloaded from the net. I have verified that this binary is indeed capable of giving root shell to any user and it works on two test systems I tried -- one woody and one redhat 7.2. I have taken the system off the net and am in the process of re-installing but the existence of such an easy to use and effective privilege escalation kit is quite disturbing. As I have only access to the binary left behind by the attacker I'm pretty clueless as to how the exploit works. Although pretty well familiar with Linux and have been running servers for several years, this is the first time facing a root exploit, so I'm rather clueless as to what to do. Any advice would be highly appreciated. Well to choose one security hole at random out of dozens to hundreds that remain unfixed in woody's kernels, this one allows anyone to go from a normal user account to root: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 -- see shy jo signature.asc Description: Digital signature
Re: root compromise on debian woody
On 5/26/05, Joey Hess [EMAIL PROTECTED] wrote: Selva Nair wrote: I have taken the system off the net and am in the process of re-installing but the existence of such an easy to use and effective privilege escalation kit is quite disturbing. As I have only access to the binary left behind by the attacker I'm pretty clueless as to how the exploit works. Although pretty well familiar with Linux and have been running servers for several years, this is the first time facing a root exploit, so I'm rather clueless as to what to do. Any advice would be highly appreciated. Well to choose one security hole at random out of dozens to hundreds that remain unfixed in woody's kernels, this one allows anyone to go from a normal user account to root: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 So which kernel version would you recommend? Selva
Re: root compromise on debian woody
On 5/26/05, Joey Hess [EMAIL PROTECTED] wrote: Selva Nair wrote: Looking through evidence left behind (bash_history etc..) I have figured out that the privilege escalation was achived using an executable that the attacker downloaded from the net. I have verified that this binary is indeed capable of giving root shell to any user and it works on two test systems I tried -- one woody and one redhat 7.2. Well to choose one security hole at random out of dozens to hundreds that remain unfixed in woody's kernels, this one allows anyone to go from a normal user account to root: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 I built a new kernel from 2.4.30 sources and the exploit no more works. Hope this one is safer. Selva
Re: root compromise on debian woody
On Thu, 26 May 2005, Selva Nair wrote: On 5/26/05, Joey Hess [EMAIL PROTECTED] wrote: Selva Nair wrote: I have taken the system off the net and am in the process of re-installing but the existence of such an easy to use and effective privilege escalation kit is quite disturbing. As I have only access to the binary left behind by the attacker I'm pretty clueless as to how the exploit works. Although pretty well familiar with Linux and have been running servers for several years, this is the first time facing a root exploit, so I'm rather clueless as to what to do. Any advice would be highly appreciated. the problem is not that the existence of a program that allows anybody to become root, but, the real problem is preventing any arbitrary person or program from gaining access to the machine - allow only certain ip# to log into your servers and everybody should not have an acct on those servers CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 always use the latest kernel ... from kernel.org ... and similarly with other important binaries from their respective originating site mta, apache, kernel, glib, make/gcc, bash, endless list and watch out for the new dog that will bite because its the newest and latest sources ( with unknown bugs ) vs the old dog ( older versions with known exploits ) roll the dice ... old buggs ... or new buggs .. snake eyes c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
On Thu, May 26, 2005 at 06:41:18PM -0700, Alvin Oga wrote: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 always use the latest kernel ... from kernel.org ... and similarly with other important binaries from their respective originating site mta, apache, kernel, glib, make/gcc, bash, endless list Sorry, but that is horrible advice. For every app you get directly from upstream, you become directly responsible for supporting security issues. I understand that even if you use the Debian packages, you are still ultimately responsible. Not only that, but the Debian Security Team does an excellent job given the resources and situation. Woody has versions of software that were no longer support upstream when Woody shipped. That makes security support really difficult, but that doesn't mean that someone should run out and install everything from source. That sort of defeatst the purpose of a distro. As far as the kernel, even Linus Torvalds himself, IIRC, has stated that running kernels from kernel.org is not a good idea unless, 1) you are testing the kernel and/or developing on it, or 2) you are absolutely 100% certain that you know exactly what you are doing and the ramifications of that. Don't forget, that on many occasions, the release versions of the kernel have security vulnerabilites in them that are only fixed in daily snapshots and won't become officially available until the next release. Add to that the fact that the kernel developers *do not* provide proper security support. That is, if kernel x.y.z runs perfectly for you and CAN-xyzw comes out. they will fix it in the next release, which may or may not work for you. That leaves with three choices: 1) continue to run vulnerable kernel, 2) upgrade to new kernel and pray it doesn't break, 3) backport the security fix yourself. It's a lot of work either way, unless that is your full time job. That is why the Debian Security Team (and the respective teams for the other distros) spend lots of time backporting kernel security fixes with minimal disturbance to the rest of the kernel code. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpxMQlLsr59k.pgp Description: PGP signature
Re: root compromise on debian woody
Roberto C. Sanchez wrote: As far as the kernel, even Linus Torvalds himself, IIRC, has stated that running kernels from kernel.org is not a good idea unless, 1) you are testing the kernel and/or developing on it, or 2) you are absolutely 100% certain that you know exactly what you are doing and the ramifications of that. Don't forget, that on many occasions, the release versions of the kernel have security vulnerabilites in them that are only fixed in daily snapshots and won't become officially available until the next release. I take a vanilla, then apply the debian patches I want then do it myself. I choose to do this because it means I can take everything I am not going to need out of it. smime.p7s Description: S/MIME Cryptographic Signature
Re: root compromise on debian woody
On Fri, May 27, 2005 at 10:54:02AM +0800, Robert Vangel wrote: Roberto C. Sanchez wrote: As far as the kernel, even Linus Torvalds himself, IIRC, has stated that running kernels from kernel.org is not a good idea unless, 1) you are testing the kernel and/or developing on it, or 2) you are absolutely 100% certain that you know exactly what you are doing and the ramifications of that. Don't forget, that on many occasions, the release versions of the kernel have security vulnerabilites in them that are only fixed in daily snapshots and won't become officially available until the next release. I take a vanilla, then apply the debian patches I want then do it myself. I choose to do this because it means I can take everything I am not going to need out of it. As long as you make a concious decision to do this. Unfortunately, many people go out and grab some package from the upstream site and then think that the security updates will roll in along with all the other apt-get stuff. They won't, but then you understand that. Personally, I roll my own kernel, but I choose the Debian kernel-source-* packages for that. Then I don't need to remember to personally keep such close track of the security vulnerabilities. I still track them, but I realize that when fixes become available, I will see them in the new kernel-source packages that come down. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpYM7Yy4alIh.pgp Description: PGP signature
Re: root compromise on debian woody
Roberto C. Sanchez wrote: As long as you make a concious decision to do this. Unfortunately, many people go out and grab some package from the upstream site and then think that the security updates will roll in along with all the other apt-get stuff. They won't, but then you understand that. Personally, I roll my own kernel, but I choose the Debian kernel-source-* packages for that. Then I don't need to remember to personally keep such close track of the security vulnerabilities. I still track them, but I realize that when fixes become available, I will see them in the new kernel-source packages that come down. -Roberto I had considered doing this, but decided there are still things in the kernel-source package that I am just not ever going to need and I would rather include *just* those that I require. Btw, I use this procedure on machines like servers where I really need to make sure I know what's going on with them. On my desktop I just use Ubuntu's packages. smime.p7s Description: S/MIME Cryptographic Signature
Re: root compromise on debian woody
On Thu, 26 May 2005, Roberto C. Sanchez wrote: On Thu, May 26, 2005 at 06:41:18PM -0700, Alvin Oga wrote: CAN-2005-1263 [Linux kernel ELF core dump privilege escalation] - kernel-source-2.6.11 2.6.11 2.6.11-4 - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 always use the latest kernel ... from kernel.org ... and similarly with other important binaries from their respective originating site mta, apache, kernel, glib, make/gcc, bash, endless list Sorry, but that is horrible advice. For every app you get directly from upstream, you become directly responsible for supporting security issues. I understand that even if you use the Debian packages, you are still ultimately responsible. Not only that, but the Debian Security Team does an excellent job given the resources and situation. Woody has versions of software that were no longer support upstream when Woody shipped. That makes security support really difficult, but that doesn't mean that someone should run out and install everything from source. That sort of defeatst the purpose of a distro. sounds like all the same identical arguments can also be used for using the originating sources instead of *.deb and the lag time between patches is up to the debian security team or *you/me* ... ones preferences to depend on *.debs should NOT make it better or worst than using *.tgz files released from the original sources i prefer to have tighter and finer controls than depend on old packages and as the orioginal poster noted ... the original problem he had has been fixed by the latest/greatest kernel ( *.30 ) which has been out for almost 2 months ( 2 months to wait for updates and security patches is too long for me ) c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root compromise on debian woody
Selva Nair wrote: Hi michael, raju: On 5/26/05, michael [EMAIL PROTECTED] wrote: On Thu, 2005-05-26 at 17:16 -0400, kamaraju kusumanchi wrote: Selva Nair wrote: Looking through evidence left behind (bash_history etc..) I have figured out that the privilege escalation was achived using an executable that the attacker downloaded from the net. I have verified that this binary is indeed capable of giving root shell to any user and it works on two test systems I tried -- one woody and one redhat 7.2. oh please send me a binary that promises to compromise my system Sure you can have it! I didn't want to post graphic details nor the binary to the list as I only have the binary and no clue. You can download the thingy from http://www.geocities.com/eas2lv/temp/ -- download knl.uuencoded.html to disk and uudecode it to get the binary named knl. I have no idea what all it does other than opening a root shell, so be careful not to try it on any critical systems. strace did not show any potentially damaging system calls, but YMMV. Please do let me know anything that you find. Thanks, Selva Thanks for sending the file. I tried it on sid and it is not giving any root access for an ordinary user. Guess it is a problem with woody or a particular kernel version then. $ uname -a Linux deluxe 2.6.9-1-686 #1 Thu Nov 25 03:48:29 EST 2004 i686 GNU/Linux $ ./knl [-] Unable to determine kernel address: Operation not supported -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]