Hello Herbert,
I have all steps you write executed:
chmod 000 /vservers
chattr +t /vservers
with a reset of chmod and all other commands. Still this one...
pbvsc:~# lsattr -d /vservers
-------------t /vservers
pbvsc:~# ls -ld /vservers
d--------- 8 root sys 4096 Feb 2 12:36 /vservers
Regards
Development Department Germany
W)ireless W)inds GbR.
Hosting | CoLocation | IP-Transit
Design | Develop. | Production
| Web: Http://www.Wireless-Winds.de
| Web: Http://www.WWip.de
| Web: Http://www.WWip.ch
| eMail: [EMAIL PROTECTED]
CONFIDENTIALITY NOTICE
This mail contains information which is confidential and may also be
privileged. It is for exclusive use of the intended recipient(s). If you are
not the intended recipient(s), please note that any distribution, copying
or use of this mail or the information in it is strictly prohibited. If you
have received this mail in error, please notify us immediately and then
destroy this mail and any copies of it. Thank you!
HINWEIS
Diese Nachricht enth�lt vertrauliche Informationen. Diese sind ausdr�cklich
nur f�r den/die Empf�nger dieser Nachricht bestimmt. Sollten Sie nicht der
beabsichtigte Empf�nger sein so nehmen Sie bitte zur Kenntnis, dass jede
Weiterleitung, jede Kopie oder die Verwendung der in dieser Nachricht
enthaltenen Informationen untersagt ist. Sollten Sie diese Nachricht
f�lschlicherweise erhalten haben, so benachrichtigen Sie uns bitte umgehend
und l�schen Sie diese Nachricht und s�mtliche Kopien bzw. Ausdrucke. Vielen
Dank!
-----Urspr�ngliche Nachricht-----
Von: Herbert Poetzl [mailto:[EMAIL PROTECTED]
Gesendet: Montag, 9. Februar 2004 13:29
An: Kern Wolfgang
Cc: [EMAIL PROTECTED]; 'Sven Hummelsberger '; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Betreff: Re: [Vserver] Analyze root-exploit with 1.26 and util 0.28
On Mon, Feb 09, 2004 at 01:15:52PM +0100, Kern Wolfgang wrote:
> Hi vServer Team,
>
> i have downloaded and compiled this expl. too and with 1.26 (Kernel
2.4.24)
> the expl. seems still to work :(
>
> i have try this both ways:
>
> chmod 000 /vservers
> chattr +t /vservers
>
> and with
>
> chmod +t /vservers
>
> but this expl. Is still working, the only different between chattr and
chmod
> is one little line of error like this:
*sigh*
chmod 000 /vservers
chmod +t /vservers
/ # ls -ld /vservers
d--------T 10 root root 1024 Dec 6 00:15 /vservers
/ # lsattr -d /vservers
------------- /vservers
INSECURE!!
chmod 000 /vservers
chattr +t /vservers
chmod +t /vservers
/ # ls -ld /vservers
d--------T 10 root root 1024 Dec 6 00:15 /vservers
/ # lsattr -d /vservers
-----------t- /vservers
INSECURE!!
chmod 000 /vservers
chattr +t /vservers
/ # ls -ld /vservers
d--------- 10 root root 1024 Dec 6 00:15 /vservers
/ # lsattr -d /vservers
-----------t- /vservers
SECURE
what are your flags today?
HTH,
Herbert
> [EMAIL PROTECTED]:~# ./chroot_exp
> cd ..: Permission denied
> Exploit seems to work. =)
>
> But for now i can see full host strukture... the very bad thing is, i can
> modify and delete any file from the host, seems like full root rights. The
> mystic way, i have to "exit" two times for a normaly host view, like this:
>
> [EMAIL PROTECTED]:/# exit
> exit
> [EMAIL PROTECTED]:~# exit
> logout
> pbvsc:~#
>
> At first "exit" the system is in the last folder from i started the expl.
> With the second "exit" the system is right now in host system. With SSH on
> the expl. V-child i have no access to host system if i try this over ssh
on
> a v-child it works like vserver NAME enter. One thing i don't understand
for
> right now... after execute the exploit the right are set to:
>
> Owner: root
> Group: root
>
> If i set all back with chattr and chmod the rights set to:
>
> Owner: root
> Group: sys
>
> I hope, i have not repeated this problem the 1000000x...
>
>
>
>
>
> Regards
>
> Development Department Germany
>
> W)ireless W)inds GbR.
> Hosting | CoLocation | IP-Transit
> Design | Develop. | Production
>
> | Web: Http://www.Wireless-Winds.de
> | Web: Http://www.WWip.de
> | Web: Http://www.WWip.ch
> | eMail: [EMAIL PROTECTED]
>
>
> CONFIDENTIALITY NOTICE
> This mail contains information which is confidential and may also be
> privileged. It is for exclusive use of the intended recipient(s). If you
are
> not the intended recipient(s), please note that any distribution, copying
> or use of this mail or the information in it is strictly prohibited. If
you
> have received this mail in error, please notify us immediately and then
> destroy this mail and any copies of it. Thank you!
>
> HINWEIS
> Diese Nachricht enth�lt vertrauliche Informationen. Diese sind
ausdr�cklich
> nur f�r den/die Empf�nger dieser Nachricht bestimmt. Sollten Sie nicht der
> beabsichtigte Empf�nger sein so nehmen Sie bitte zur Kenntnis, dass jede
> Weiterleitung, jede Kopie oder die Verwendung der in dieser Nachricht
> enthaltenen Informationen untersagt ist. Sollten Sie diese Nachricht
> f�lschlicherweise erhalten haben, so benachrichtigen Sie uns bitte
umgehend
> und l�schen Sie diese Nachricht und s�mtliche Kopien bzw. Ausdrucke.
Vielen
> Dank!
>
> _______________________________________________
> Vserver mailing list
> [EMAIL PROTECTED]
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
