About this list Date view Thread view Subject view Author view Attachment view

From: Luís Miguel Silva (lms_at_ispgaya.pt)
Date: Tue 25 Mar 2003 - 10:28:05 GMT


it seems your box IS vulnerable:
[ck_at_adjana ck]$ ./km3
Linux kmod + ptrace local root exploit by <anszom_at_v-lo.krakow.pl>

=> Simple mode, executing /usr/bin/id > /dev/tty
sizeof(shellcode)=95
=> Child process started.+ 11120
- 11120 ok!
------------------>>>>>>>>>> uid=0(root) gid=0(root) groups=100(users)
[ck_at_adjana ck]$

Alter the source on km3.c to execute something different then /usr/bin/id
:o)

Regards,
+-----------------------------------------
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5 F: +351 22 3745738
| G: +351 93 6371253 E: lms_at_ispgaya.pt
| H: http://lms.ispgaya.pt/
+-----------------------------------------
-----Mensagem original-----
De: Christoph Kuhles [mailto:ck_at_aquatix.de]
Enviada: segunda-feira, 24 de Março de 2003 11:07
Para: Luís Miguel Silva
Assunto: Re[2]: [vserver] Linux kmod/ptrace bug!

Hi,

Monday, March 24, 2003, 6:21:23 PM, you wrote:

LMS> I should have given the url to a working exploit on my original post.
LMS> So, here it is:
LMS> http://august.v-lo.krakow.pl/~anszom/km3.c

Hm, I don't seem able to exploit my own machines -

[ck_at_adjana ck]$ uname -a
Linux adjana.aquatix.de 2.4.19-aqx #4 Wed Jan 8 00:59:02 CET 2003 i686 i686
i386 GNU/Linux
[ck_at_adjana ck]$ ./km3
Linux kmod + ptrace local root exploit by <anszom_at_v-lo.krakow.pl>

=> Simple mode, executing /usr/bin/id > /dev/tty
sizeof(shellcode)=95
=> Child process started.+ 11120
- 11120 ok!
uid=0(root) gid=0(root) groups=100(users)
[ck_at_adjana ck]$ whoami
ck

/usr/bin/passwd is setuid root, the box runs 2.4.19 with ctx-15, ricmp
and patch-int from kerneli.org, /proc/sys/kernel/modprobe is set to
/sbin/modprobe. I really wonder why my machine is not vulnerable as I
didn't apply any patches for that. Also module support is enabled in
the running kernel.

Does anyone have details what might have actually 'patched' my system
here? I'm kinda worried if there's any other exploit that might work
on my box, so I'd appreciate any advice.

Thanks,

Chris


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 25 Mar 2003 - 02:51:24 GMT by hypermail 2.1.3