Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. In this context, I'd suggest

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. In this context, I'd suggest

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. This is true. > All you gain

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> of proportion... Some things in security _have_ to be obscure. Your > password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memo

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. This is true. > All you gain

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? No, that's stretching the defini

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> of proportion... Some things in security _have_ to be obscure. Your > password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memo

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? No, that's stretching the defini

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 01:57:10PM -0500, Phillip Hofmeister wrote: > Assuming an intruder made his way in with root privs couldn't he also > modify /dev/kmem or directly access the kernel memory by some other > means? I beleive this topic has also been discussed in the past (dig > deep into the a

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 01:57:10PM -0500, Phillip Hofmeister wrote: > Assuming an intruder made his way in with root privs couldn't he also > modify /dev/kmem or directly access the kernel memory by some other > means? I beleive this topic has also been discussed in the past (dig > deep into the a

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, 01 Apr 2003 13:57:10 EST, Phillip Hofmeister writes: >Assuming an intruder made his way in with root privs couldn't he also >modify /dev/kmem or directly access the kernel memory by some other >means? I beleive this topic has also been discussed in the past (dig >deep into the archives) an

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Dariush Pietrzak ([EMAIL PROTECTED]) wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? > Determined hacker can still relatively easily inser

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, 01 Apr 2003 13:57:10 EST, Phillip Hofmeister writes: >Assuming an intruder made his way in with root privs couldn't he also >modify /dev/kmem or directly access the kernel memory by some other >means? I beleive this topic has also been discussed in the past (dig >deep into the archives) an

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) -

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Dariush Pietrzak ([EMAIL PROTECTED]) wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? > Determined hacker can still relatively easily inser

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, 01 Apr 2003 at 07:49:29PM +0200, David Barroso wrote: > One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. Ahh, yea. Assuming an intruder made his way in with root privs couldn't

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Hi, David Barroso wrote: > > * Marcin Owsiany ([EMAIL PROTECTED]) wrote: > > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser > > > wrote: > > > > In a server enviroment, where there no need to load modules at r

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) -

Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 05:46:46PM +0100, David Ramsden wrote: > I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't > been patched. I can "echo '/sbin/modprobe' > /proc/sys/kernel/modprobe" and > try the above and I'll get a root prompt first time. Ok, I have to admit, th

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Marcin Owsiany ([EMAIL PROTECTED]) wrote: > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > > In a server enviroment, where there no need to load modules at run-time, > > > could be a "usable workaorund

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, 01 Apr 2003 at 07:49:29PM +0200, David Barroso wrote: > One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. Ahh, yea. Assuming an intruder made his way in with root privs couldn't

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > In a server enviroment, where there no need to load modules at run-time, > > could be a "usable workaorund", but, in a workstation machine, i don't > > think

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Hi, David Barroso wrote: > > * Marcin Owsiany ([EMAIL PROTECTED]) wrote: > > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > > > In a server enviroment, where there no need to load modules at run-time

Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 05:46:46PM +0100, David Ramsden wrote: > I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't > been patched. I can "echo '/sbin/modprobe' > /proc/sys/kernel/modprobe" and > try the above and I'll get a root prompt first time. Ok, I have to admit, th

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Marcin Owsiany ([EMAIL PROTECTED]) wrote: > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > > In a server enviroment, where there no need to load modules at run-time, > > > could be a "usable workaorund

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 02:40:44PM +0100, David Ramsden wrote: > > > echo unexisting_binary > /proc/sys/kernel/modprobe > > > Can we trust this solution ? > > NO, it does not prevent the exploit. > > > > It does prevent the km3.c example exploit but not e.g. > > http://isec.pl/cliph/isec-ptrace

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > In a server enviroment, where there no need to load modules at run-time, > > could be a "usable workaorund", but, in a workstation machine, i don't > > think

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnera

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > In a server enviroment, where there no need to load modules at run-time, > could be a "usable workaorund", but, in a workstation machine, i don't > think thats a great idea. In a server environment it is preferable not t

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 02:40:44PM +0100, David Ramsden wrote: > > > echo unexisting_binary > /proc/sys/kernel/modprobe > > > Can we trust this solution ? > > NO, it does not prevent the exploit. > > > > It does prevent the km3.c example exploit but not e.g. > > http://isec.pl/cliph/isec-ptrace

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "Marc Demlenne" <[EMAIL PROTECTED]> Cc: "DouRiX" <[EMAIL PROTECTED]>; "Lutz Kittler" <[EMAIL PROTECTED]>; Sent: Tuesday, April 01, 2003 2:04 PM Subject:

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On martedì 01 aprile 2003, alle 14:20, DouRiX wrote: > but isn't there a trick to surpass the bug while waiting for debian > updates ? Actually, yes. But i'm not really sure if it's a "good" workaorund. Anyway: if you disable automatic loading module (a kernel feature), you may ignore this vuln

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 02:06:12PM +0200, Marc Demlenne wrote: > > but isn't there a trick to surpass the bug while waiting for debian > > updates ? > > What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. > echo unexisting_binary > /proc/sys/kernel/modprobe > > Can we trust

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > In a server enviroment, where there no need to load modules at run-time, > could be a "usable workaorund", but, in a workstation machine, i don't > think thats a great idea. In a server environment it is preferable not t

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Quoting Marc Demlenne ([EMAIL PROTECTED]): > echo unexisting_binary > /proc/sys/kernel/modprobe > > Can we trust this solution ? > What's the effect ? You can't dynamically load and unload modules anymore. If you load all the modules you need before doing it, you're fine. > It seems to work

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> > but isn't there a trick to surpass the bug while waiting for debian > updates ? > > or won't be there a 2.4.18 update ? :) > You can disable autoloading for kernel modules: echo "x" > /proc/sys/kernel/modprobe . lutz

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> but isn't there a trick to surpass the bug while waiting for debian > updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary > /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? It seems to work fine, and to block t

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

l 01, 2003 2:04 PM Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] > > > > What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. > > echo unexisting_binary > /proc/sys/kernel/modprobe > > > >

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On martedì 01 aprile 2003, alle 14:20, DouRiX wrote: > but isn't there a trick to surpass the bug while waiting for debian > updates ? Actually, yes. But i'm not really sure if it's a "good" workaorund. Anyway: if you disable automatic loading module (a kernel feature), you may ignore this vuln

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Maurizio Lemmo - Tannoiser wrote: On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: Does someone know where is debian about this issue ? i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 02:06:12PM +0200, Marc Demlenne wrote: > > but isn't there a trick to surpass the bug while waiting for debian > > updates ? > > What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. > echo unexisting_binary > /proc/sys/kernel/modprobe > > Can we trust

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Quoting Marc Demlenne ([EMAIL PROTECTED]): > echo unexisting_binary > /proc/sys/kernel/modprobe > > Can we trust this solution ? > What's the effect ? You can't dynamically load and unload modules anymore. If you load all the modules you need before doing it, you're fine. > It seems to work

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> > but isn't there a trick to surpass the bug while waiting for debian > updates ? > > or won't be there a 2.4.18 update ? :) > You can disable autoloading for kernel modules: echo "x" > /proc/sys/kernel/modprobe . lutz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "u

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> but isn't there a trick to surpass the bug while waiting for debian > updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary > /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? It seems to work fine, and to block t

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Maurizio Lemmo - Tannoiser wrote: On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: Does someone know where is debian about this issue ? i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported that

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: > Does someone know where is debian about this issue ? > > i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported that patch, for work with kernel 2

[Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Hi everybody, Does someone know where is debian about this issue ? I see that there is already an update but only for mips (http://www.debian.org/security/2003/dsa-270), do you know why ? Thanks in advance, -- DouRiX ["Don't fear, Just play

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: > Does someone know where is debian about this issue ? > > i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported that patch, for work with kernel 2

[Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Hi everybody, Does someone know where is debian about this issue ? I see that there is already an update but only for mips (http://www.debian.org/security/2003/dsa-270), do you know why ? Thanks in advance, -- DouRiX ["Don't fear, Just play th