On Mon, Feb 09, 2004 at 01:36:25PM +0100, Kern Wolfgang wrote: > Hello Herbert, > > I have all steps you write executed: > > chmod 000 /vservers > chattr +t /vservers > > with a reset of chmod and all other commands. Still this one... > > pbvsc:~# lsattr -d /vservers > -------------t /vservers > > pbvsc:~# ls -ld /vservers > d--------- 8 root sys 4096 Feb 2 12:36 /vservers
well, you probably can change the group of that dir to group root with 'chgrp root /vservers' if that is what you mean, but that doesn't make it less secure ... exploit should not work, if it does, something is wrong with your kernel ... Linux (none) 2.4.24-vs1.26 #1 SMP Fri Feb 6 21:42:12 CET 2004 i686 unknown HTH, Herbert > Regards > > Development Department Germany > > W)ireless W)inds GbR. > Hosting | CoLocation | IP-Transit > Design | Develop. | Production > > | Web: Http://www.Wireless-Winds.de > | Web: Http://www.WWip.de > | Web: Http://www.WWip.ch > | eMail: [EMAIL PROTECTED] > > > CONFIDENTIALITY NOTICE > This mail contains information which is confidential and may also be > privileged. It is for exclusive use of the intended recipient(s). If you are > not the intended recipient(s), please note that any distribution, copying > or use of this mail or the information in it is strictly prohibited. If you > have received this mail in error, please notify us immediately and then > destroy this mail and any copies of it. Thank you! > > HINWEIS > Diese Nachricht enth�lt vertrauliche Informationen. Diese sind ausdr�cklich > nur f�r den/die Empf�nger dieser Nachricht bestimmt. Sollten Sie nicht der > beabsichtigte Empf�nger sein so nehmen Sie bitte zur Kenntnis, dass jede > Weiterleitung, jede Kopie oder die Verwendung der in dieser Nachricht > enthaltenen Informationen untersagt ist. Sollten Sie diese Nachricht > f�lschlicherweise erhalten haben, so benachrichtigen Sie uns bitte umgehend > und l�schen Sie diese Nachricht und s�mtliche Kopien bzw. Ausdrucke. Vielen > Dank! > > > > -----Urspr�ngliche Nachricht----- > Von: Herbert Poetzl [mailto:[EMAIL PROTECTED] > Gesendet: Montag, 9. Februar 2004 13:29 > An: Kern Wolfgang > Cc: [EMAIL PROTECTED]; 'Sven Hummelsberger '; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Betreff: Re: [Vserver] Analyze root-exploit with 1.26 and util 0.28 > > On Mon, Feb 09, 2004 at 01:15:52PM +0100, Kern Wolfgang wrote: > > Hi vServer Team, > > > > i have downloaded and compiled this expl. too and with 1.26 (Kernel > 2.4.24) > > the expl. seems still to work :( > > > > i have try this both ways: > > > > chmod 000 /vservers > > chattr +t /vservers > > > > and with > > > > chmod +t /vservers > > > > but this expl. Is still working, the only different between chattr and > chmod > > is one little line of error like this: > > *sigh* > > chmod 000 /vservers > chmod +t /vservers > > / # ls -ld /vservers > d--------T 10 root root 1024 Dec 6 00:15 /vservers > / # lsattr -d /vservers > ------------- /vservers > > INSECURE!! > > > chmod 000 /vservers > chattr +t /vservers > chmod +t /vservers > > / # ls -ld /vservers > d--------T 10 root root 1024 Dec 6 00:15 /vservers > / # lsattr -d /vservers > -----------t- /vservers > > INSECURE!! > > > chmod 000 /vservers > chattr +t /vservers > > / # ls -ld /vservers > d--------- 10 root root 1024 Dec 6 00:15 /vservers > / # lsattr -d /vservers > -----------t- /vservers > > SECURE > > what are your flags today? > > HTH, > Herbert > > > [EMAIL PROTECTED]:~# ./chroot_exp > > cd ..: Permission denied > > Exploit seems to work. =) > > > > But for now i can see full host strukture... the very bad thing is, i can > > modify and delete any file from the host, seems like full root rights. The > > mystic way, i have to "exit" two times for a normaly host view, like this: > > > > [EMAIL PROTECTED]:/# exit > > exit > > [EMAIL PROTECTED]:~# exit > > logout > > pbvsc:~# > > > > At first "exit" the system is in the last folder from i started the expl. > > With the second "exit" the system is right now in host system. With SSH on > > the expl. V-child i have no access to host system if i try this over ssh > on > > a v-child it works like vserver NAME enter. One thing i don't understand > for > > right now... after execute the exploit the right are set to: > > > > Owner: root > > Group: root > > > > If i set all back with chattr and chmod the rights set to: > > > > Owner: root > > Group: sys > > > > I hope, i have not repeated this problem the 1000000x... > > > > > > > > > > > > Regards > > > > Development Department Germany > > > > W)ireless W)inds GbR. > > Hosting | CoLocation | IP-Transit > > Design | Develop. | Production > > > > | Web: Http://www.Wireless-Winds.de > > | Web: Http://www.WWip.de > > | Web: Http://www.WWip.ch > > | eMail: [EMAIL PROTECTED] > > > > > > CONFIDENTIALITY NOTICE > > This mail contains information which is confidential and may also be > > privileged. It is for exclusive use of the intended recipient(s). If you > are > > not the intended recipient(s), please note that any distribution, copying > > or use of this mail or the information in it is strictly prohibited. If > you > > have received this mail in error, please notify us immediately and then > > destroy this mail and any copies of it. Thank you! > > > > HINWEIS > > Diese Nachricht enth�lt vertrauliche Informationen. Diese sind > ausdr�cklich > > nur f�r den/die Empf�nger dieser Nachricht bestimmt. Sollten Sie nicht der > > beabsichtigte Empf�nger sein so nehmen Sie bitte zur Kenntnis, dass jede > > Weiterleitung, jede Kopie oder die Verwendung der in dieser Nachricht > > enthaltenen Informationen untersagt ist. Sollten Sie diese Nachricht > > f�lschlicherweise erhalten haben, so benachrichtigen Sie uns bitte > umgehend > > und l�schen Sie diese Nachricht und s�mtliche Kopien bzw. Ausdrucke. > Vielen > > Dank! > > > > _______________________________________________ > > Vserver mailing list > > [EMAIL PROTECTED] > > http://list.linux-vserver.org/mailman/listinfo/vserver > > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
