RE: Re[2]: [vserver] Linux kmod/ptrace bug!

Mon, 24 Mar 2003 19:05:15 -0800 

it seems your box IS vulnerable:
[EMAIL PROTECTED] ck]$ ./km3
Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]>

=> Simple mode, executing /usr/bin/id > /dev/tty
sizeof(shellcode)=95
=> Child process started.+ 11120
- 11120 ok!
------------------>>>>>>>>>> uid=0(root) gid=0(root) groups=100(users)
[EMAIL PROTECTED] ck]$

Alter the source on km3.c to execute something different then /usr/bin/id
:o)

Regards,
+-----------------------------------------
| Lu�s Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua Ant�nio Rodrigues da Rocha, 291/341
| Sto. Ov�dio � 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253      E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+-----------------------------------------
-----Mensagem original-----
De: Christoph Kuhles [mailto:[EMAIL PROTECTED]
Enviada: segunda-feira, 24 de Mar�o de 2003 11:07
Para: Lu�s Miguel Silva
Assunto: Re[2]: [vserver] Linux kmod/ptrace bug!


Hi,

Monday, March 24, 2003, 6:21:23 PM, you wrote:

LMS> I should have given the url to a working exploit on my original post.
LMS> So, here it is:
LMS> http://august.v-lo.krakow.pl/~anszom/km3.c

Hm, I don't seem able to exploit my own machines -

[EMAIL PROTECTED] ck]$ uname -a
Linux adjana.aquatix.de 2.4.19-aqx #4 Wed Jan 8 00:59:02 CET 2003 i686 i686
i386 GNU/Linux
[EMAIL PROTECTED] ck]$ ./km3
Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]>

=> Simple mode, executing /usr/bin/id > /dev/tty
sizeof(shellcode)=95
=> Child process started.+ 11120
- 11120 ok!
uid=0(root) gid=0(root) groups=100(users)
[EMAIL PROTECTED] ck]$ whoami
ck

/usr/bin/passwd is setuid root, the box runs 2.4.19 with ctx-15, ricmp
and patch-int from kerneli.org, /proc/sys/kernel/modprobe is set to
/sbin/modprobe. I really wonder why my machine is not vulnerable as I
didn't apply any patches for that. Also module support is enabled in
the running kernel.

Does anyone have details what might have actually 'patched' my system
here? I'm kinda worried if there's any other exploit that might work
on my box, so I'd appreciate any advice.

Thanks,

Chris

Reply via email to