On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote:
of proportion... Some things in security _have_ to be obscure. Your
password, for example. Or the primes used to generate your PGP private
There's a difference between 'obscure' and 'secret'.
This is true.
All you gain by
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote:
of proportion... Some things in security _have_ to be obscure. Your
password, for example. Or the primes used to generate your PGP private
There's a difference between 'obscure' and 'secret'.
In this context, I'd suggest that
On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote:
One reason is security:
it's relatively easy for an intruder to install a kernel module based
rootkit, and then hide her processes, files or connections.
isn't it security-by-obscurity?
No, that's stretching the definition
of proportion... Some things in security _have_ to be obscure. Your
password, for example. Or the primes used to generate your PGP private
There's a difference between 'obscure' and 'secret'.
All you gain by removing kernel-loading capability from your kernel is to
force cracker to search
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote:
of proportion... Some things in security _have_ to be obscure. Your
password, for example. Or the primes used to generate your PGP private
There's a difference between 'obscure' and 'secret'.
This is true.
All you gain by
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote:
of proportion... Some things in security _have_ to be obscure. Your
password, for example. Or the primes used to generate your PGP private
There's a difference between 'obscure' and 'secret'.
In this context, I'd suggest that
Maurizio Lemmo - Tannoiser wrote:
On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote:
Does someone know where is debian about this issue ?
http://lwn.net/Articles/25669/
i've noticed that there kernel 2.4.20 with ptrace patch included, in
proposed-update.
For my puorpose, i've backported that
but isn't there a trick to surpass the bug while waiting for debian
updates ?
What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g.
echo unexisting_binary /proc/sys/kernel/modprobe
Can we trust this solution ?
What's the effect ?
It seems to work fine, and to block the
* Quoting Marc Demlenne ([EMAIL PROTECTED]):
echo unexisting_binary /proc/sys/kernel/modprobe
Can we trust this solution ?
What's the effect ?
You can't dynamically load and unload modules
anymore. If you load all the modules you need
before doing it, you're fine.
It seems to work
On Tue, Apr 01, 2003 at 02:06:12PM +0200, Marc Demlenne wrote:
but isn't there a trick to surpass the bug while waiting for debian
updates ?
What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g.
echo unexisting_binary /proc/sys/kernel/modprobe
Can we trust this
On martedì 01 aprile 2003, alle 14:20, DouRiX wrote:
but isn't there a trick to surpass the bug while waiting for debian
updates ?
Actually, yes.
But i'm not really sure if it's a good workaorund. Anyway:
if you disable automatic loading module (a kernel feature), you may
ignore this
- Original Message -
From: Christian Hammers [EMAIL PROTECTED]
To: Marc Demlenne [EMAIL PROTECTED]
Cc: DouRiX [EMAIL PROTECTED]; Lutz Kittler
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, April 01, 2003 2:04 PM
Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
In a server enviroment, where there no need to load modules at run-time,
could be a usable workaorund, but, in a workstation machine, i don't
think thats a great idea.
In a server environment it is preferable not to
On Tue, Apr 01, 2003 at 02:40:44PM +0100, David Ramsden wrote:
echo unexisting_binary /proc/sys/kernel/modprobe
Can we trust this solution ?
NO, it does not prevent the exploit.
It does prevent the km3.c example exploit but not e.g.
- Original Message -
From: Christian Hammers [EMAIL PROTECTED]
To: David Ramsden [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, April 01, 2003 4:48 PM
Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace
vulnerability in 2.2 and 2.4 kernels]
[snip]
Can
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote:
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
In a server enviroment, where there no need to load modules at run-time,
could be a usable workaorund, but, in a workstation machine, i don't
think thats a
* Marcin Owsiany ([EMAIL PROTECTED]) wrote:
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote:
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
In a server enviroment, where there no need to load modules at run-time,
could be a usable workaorund, but, in
On Tue, Apr 01, 2003 at 05:46:46PM +0100, David Ramsden wrote:
I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't
been patched. I can echo '/sbin/modprobe' /proc/sys/kernel/modprobe and
try the above and I'll get a root prompt first time.
Ok, I have to admit, that
Hi,
David Barroso wrote:
* Marcin Owsiany ([EMAIL PROTECTED]) wrote:
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote:
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
In a server enviroment, where there no need to load modules at run-time,
On Tue, 01 Apr 2003 at 07:49:29PM +0200, David Barroso wrote:
One reason is security:
it's relatively easy for an intruder to install a kernel module based
rootkit, and then hide her processes, files or connections.
Ahh, yea.
Assuming an intruder made his way in with root privs couldn't
* Dariush Pietrzak ([EMAIL PROTECTED]) wrote:
One reason is security:
it's relatively easy for an intruder to install a kernel module based
rootkit, and then hide her processes, files or connections.
isn't it security-by-obscurity?
Determined hacker can still relatively easily insert code
On Tue, 01 Apr 2003 13:57:10 EST, Phillip Hofmeister writes:
Assuming an intruder made his way in with root privs couldn't he also
modify /dev/kmem or directly access the kernel memory by some other
means? I beleive this topic has also been discussed in the past (dig
deep into the archives) and
On Tue, Apr 01, 2003 at 01:57:10PM -0500, Phillip Hofmeister wrote:
Assuming an intruder made his way in with root privs couldn't he also
modify /dev/kmem or directly access the kernel memory by some other
means? I beleive this topic has also been discussed in the past (dig
deep into the
On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote:
One reason is security:
it's relatively easy for an intruder to install a kernel module based
rootkit, and then hide her processes, files or connections.
isn't it security-by-obscurity?
No, that's stretching the definition
but isn't there a trick to surpass the bug while waiting for debian
updates ?
What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g.
echo unexisting_binary /proc/sys/kernel/modprobe
Can we trust this solution ?
What's the effect ?
It seems to work fine, and to block the
but isn't there a trick to surpass the bug while waiting for debian
updates ?
or won't be there a 2.4.18 update ? :)
You can disable autoloading for kernel modules:
echo x /proc/sys/kernel/modprobe .
lutz
* Quoting Marc Demlenne ([EMAIL PROTECTED]):
echo unexisting_binary /proc/sys/kernel/modprobe
Can we trust this solution ?
What's the effect ?
You can't dynamically load and unload modules
anymore. If you load all the modules you need
before doing it, you're fine.
It seems to work
On Tue, Apr 01, 2003 at 02:06:12PM +0200, Marc Demlenne wrote:
but isn't there a trick to surpass the bug while waiting for debian
updates ?
What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g.
echo unexisting_binary /proc/sys/kernel/modprobe
Can we trust this
On martedì 01 aprile 2003, alle 14:20, DouRiX wrote:
but isn't there a trick to surpass the bug while waiting for debian
updates ?
Actually, yes.
But i'm not really sure if it's a good workaorund. Anyway:
if you disable automatic loading module (a kernel feature), you may
ignore this
- Original Message -
From: Christian Hammers [EMAIL PROTECTED]
To: Marc Demlenne [EMAIL PROTECTED]
Cc: DouRiX [EMAIL PROTECTED]; Lutz Kittler
[EMAIL PROTECTED]; debian-security@lists.debian.org
Sent: Tuesday, April 01, 2003 2:04 PM
Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
In a server enviroment, where there no need to load modules at run-time,
could be a usable workaorund, but, in a workstation machine, i don't
think thats a great idea.
In a server environment it is preferable not to
On Tue, Apr 01, 2003 at 02:40:44PM +0100, David Ramsden wrote:
echo unexisting_binary /proc/sys/kernel/modprobe
Can we trust this solution ?
NO, it does not prevent the exploit.
It does prevent the km3.c example exploit but not e.g.
- Original Message -
From: Christian Hammers [EMAIL PROTECTED]
To: David Ramsden [EMAIL PROTECTED]
Cc: debian-security@lists.debian.org
Sent: Tuesday, April 01, 2003 4:48 PM
Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace
vulnerability in 2.2 and 2.4 kernels]
[snip
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote:
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
In a server enviroment, where there no need to load modules at run-time,
could be a usable workaorund, but, in a workstation machine, i don't
think thats a
* Marcin Owsiany ([EMAIL PROTECTED]) wrote:
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote:
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
In a server enviroment, where there no need to load modules at run-time,
could be a usable workaorund, but, in
On Tue, Apr 01, 2003 at 05:46:46PM +0100, David Ramsden wrote:
I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't
been patched. I can echo '/sbin/modprobe' /proc/sys/kernel/modprobe and
try the above and I'll get a root prompt first time.
Ok, I have to admit, that
Hi,
David Barroso wrote:
* Marcin Owsiany ([EMAIL PROTECTED]) wrote:
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote:
On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser
wrote:
In a server enviroment, where there no need to load modules at run-time,
On Tue, 01 Apr 2003 at 07:49:29PM +0200, David Barroso wrote:
One reason is security:
it's relatively easy for an intruder to install a kernel module based
rootkit, and then hide her processes, files or connections.
Ahh, yea.
Assuming an intruder made his way in with root privs couldn't
One reason is security:
it's relatively easy for an intruder to install a kernel module based
rootkit, and then hide her processes, files or connections.
isn't it security-by-obscurity?
Determined hacker can still relatively easily insert code into kernel
(vide phreack magazine articles )
--
* Dariush Pietrzak ([EMAIL PROTECTED]) wrote:
One reason is security:
it's relatively easy for an intruder to install a kernel module based
rootkit, and then hide her processes, files or connections.
isn't it security-by-obscurity?
Determined hacker can still relatively easily insert code
On Tue, 01 Apr 2003 13:57:10 EST, Phillip Hofmeister writes:
Assuming an intruder made his way in with root privs couldn't he also
modify /dev/kmem or directly access the kernel memory by some other
means? I beleive this topic has also been discussed in the past (dig
deep into the archives) and
On Tue, Apr 01, 2003 at 01:57:10PM -0500, Phillip Hofmeister wrote:
Assuming an intruder made his way in with root privs couldn't he also
modify /dev/kmem or directly access the kernel memory by some other
means? I beleive this topic has also been discussed in the past (dig
deep into the
Maurizio Lemmo - Tannoiser wrote:
On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote:
Does someone know where is debian about this issue ?
http://lwn.net/Articles/25669/
i've noticed that there kernel 2.4.20 with ptrace patch included, in
proposed-update.
For my puorpose, i've backported
Hi everybody,
Does someone know where is debian about this issue ?
http://lwn.net/Articles/25669/
I see that there is already an update but only for mips
(http://www.debian.org/security/2003/dsa-270), do you know why ?
Thanks in advance,
--
DouRiX
[Don't fear, Just play the
On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote:
Does someone know where is debian about this issue ?
http://lwn.net/Articles/25669/
i've noticed that there kernel 2.4.20 with ptrace patch included, in
proposed-update.
For my puorpose, i've backported that patch, for work with kernel
His announcement is Slashdotted, and I'm seeing no notice of which versions
are affected! I'm running 2.4.18 on all my Debian servers, please tell me
what's going on.
same here...:(
Why most this patch does is change kernel_thread into arch_kernel_thread?
only usefull thing I see is
On Tue, 2003-03-18 at 08:04, Giacomo Mulas wrote:
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a patched source package in
the making already or
His announcement is Slashdotted, and I'm seeing no notice of which versions
are affected! I'm running 2.4.18 on all my Debian servers, please tell me
what's going on.
same here...:(
Why most this patch does is change kernel_thread into arch_kernel_thread?
only usefull thing I see is
On Tue, 2003-03-18 at 08:04, Giacomo Mulas wrote:
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a patched source package in
the making already or
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a patched source package in
the making already or should we humble users, in the meantime, take the
Le mar 18/03/2003 à 13:04, Giacomo Mulas a écrit :
On Tue, 18 Mar 2003, Giacomo Mulas wrote:
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a
His announcement is Slashdotted, and I'm seeing no notice of which versions
are affected! I'm running 2.4.18 on all my Debian servers, please tell me
what's going on.
--On Tuesday, March 18, 2003 12:04 PM +0100 Giacomo Mulas
[EMAIL PROTECTED] wrote:
Alan Cox apparently just made
vulnerability in 2.2 and 2.4 kernels
From:
Alan Cox
[EMAIL PROTECTED]
To:
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject:
Ptrace vulnerability
You could try this link
http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html but I am not
sure if it meets your criteria of authoritive.
From: Phillip Hofmeister [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: ptrace vulnerability?
Date: Tue, 18 Mar 2003 17:09:10 -0500
MIME
Correct me if I am wrong but is the ptrace vulnerability not a fairly old
one. By old I mean like a couple of years. Or is this a completely
different ptrace vulnerability. I know there was info about a ptrace
vulnerability at http://packetstormsecurity.com including the working
exploit
New one.
The attached module seems to block the currently circulating exploit, I didn't
write it so don't email me if it breaks your system.
On Tuesday 18 March 2003 17:39, Steve Meyer wrote:
Correct me if I am wrong but is the ptrace vulnerability not a fairly old
one. By old I mean like
Does anyone know the ETA of the official patch?
_
The new MSN 8: smart spam protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a patched source package in
the making already or should we humble users, in the meantime, take the
On Tue, 18 Mar 2003, Giacomo Mulas wrote:
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a patched source package in
the making already or should we
Le mar 18/03/2003 à 13:04, Giacomo Mulas a écrit :
On Tue, 18 Mar 2003, Giacomo Mulas wrote:
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a
His announcement is Slashdotted, and I'm seeing no notice of which versions
are affected! I'm running 2.4.18 on all my Debian servers, please tell me
what's going on.
--On Tuesday, March 18, 2003 12:04 PM +0100 Giacomo Mulas
[EMAIL PROTECTED] wrote:
Alan Cox apparently just made
Tuesday, March 18, 2003, 3:40:40 PM, Jason Rashaad Jackson (Jason) wrote:
Jason His announcement is Slashdotted, and I'm seeing no notice of which
versions
Jason are affected! I'm running 2.4.18 on all my Debian servers, please tell
me
Jason what's going on.
vulnerability in 2.2 and 2.4 kernels
From:
Alan Cox
[EMAIL PROTECTED]
To:
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject:
Ptrace vulnerability
I usually make it a habit of only applying patches that come from
seemingly authoritive sites. Could anyone make a reference to an
authoritive site that would contain this patch? I have been snooping
around kernel.org with no success...
--
Phil
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
You could try this link
http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html but I am not
sure if it meets your criteria of authoritive.
From: Phillip Hofmeister [EMAIL PROTECTED]
To: debian-security@lists.debian.org
Subject: Re: ptrace vulnerability?
Date: Tue, 18 Mar 2003 17
Correct me if I am wrong but is the ptrace vulnerability not a fairly old
one. By old I mean like a couple of years. Or is this a completely
different ptrace vulnerability. I know there was info about a ptrace
vulnerability at http://packetstormsecurity.com including the working
exploit
New one.
The attached module seems to block the currently circulating exploit, I didn't
write it so don't email me if it breaks your system.
On Tuesday 18 March 2003 17:39, Steve Meyer wrote:
Correct me if I am wrong but is the ptrace vulnerability not a fairly old
one. By old I mean like
67 matches
Mail list logo