FAQ   Search   Memberlist  
Profile    Log in to check your private messages    Register    Log in
Linux Kernel /proc Exploit

 
Post new topic   Reply to topic    BLAG Forum Index -> announcements
View previous topic :: View next topic  
Author Message
jebba
PostPosted: Sat Jul 15, 2006 12:22 am    Post subject: Linux Kernel /proc Exploit Reply with quote

Ouch.

http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047913.html

This affects basically all distros.

A possible workaround is to run this as root (needed each time you boot):

Code:
mount -oremount,noexec /proc


You can also change the "proc" line in /etc/fstab to this for it to come up on boot:

Code:
proc      /proc      proc    rw,noexec       0 0


A new kernel will likely be release in the next few hours/minutes/seconds. Dave Jones says Fedora will have an update out today/tomorrow too. It will be available in the blag repo shortly after.

I will also be respinning the CDs and releasing BLAG50001 sometime next week.

-Jeff



Last edited by jebba on Wed Jul 19, 2006 4:35 am; edited 3 times in total
logicmaster
PostPosted: Sat Jul 15, 2006 3:20 am    Post subject: Reply with quote

my current :

LABEL=/ / ext3 defaults 1 1
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs defaults 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
/dev/hda3 /home ext3 defaults 1 2

replace the above bold with this ?

/dev/proc /proc proc rw,noexec 0 0

or do you mean..

/proc /proc proc rw,noexec 0 0 ?

Thanks :)


_________________
WWJD (What Would Jebba Do) :)
jebba
PostPosted: Sat Jul 15, 2006 5:49 am    Post subject: Reply with quote

It should read:

Code:
proc     /proc    proc    rw,noexec       0 0


I corrected my above post too...

john maclean
PostPosted: Sat Jul 15, 2006 11:23 am    Post subject: Reply with quote

Hi Jebba,

Am I right in thinking that this is not a thing that can be done automatically with a system upgrade as yet? And does one nedd to restart any services once you've changed /etcc/fstab? 50k rocks by the way.

- JM (jayeola)


_________________
BLAG 'em up!
logicmaster
PostPosted: Sat Jul 15, 2006 11:55 am    Post subject: Reply with quote

Thanks Jebba :)

by the way, what is kernel exploit means ? what does it do actually ? is it the same like virus ?


_________________
WWJD (What Would Jebba Do) :)
jebba
PostPosted: Sat Jul 15, 2006 3:38 pm    Post subject: Reply with quote

logicmaster wrote:
by the way, what is kernel exploit means ? what does it do actually ? is it the same like virus ?


Basically, if someone has an account on your box, they can use that to obtain root (system administrator) access. Anyone that has root access can do anything to the box, such as reformat it. This is not remotely exploitable--the cracker must be "local" on the system.

So, it's not a virus, but a "hole" into a system.

-Jeff

jebba
PostPosted: Sat Jul 15, 2006 3:40 pm    Post subject: Reply with quote

Ok. An update is available in the blag repository. If you are running a public server, I especially encourage you to upgrade. If you are running a desktop workstation you should still upgrade. :)

Code:
apt-get update
apt-get install kernel#2.6.17-1.2157_FC5


-Jeff

ewl
PostPosted: Sat Jul 15, 2006 4:18 pm    Post subject: Reply with quote

I updated the kernel. Actually I was using a version of 2.6.16 before this update because suspend to disk doesn't work right with 2.6.17 (that includes the new version). Does the exploit affect the earlier kernels also?

_________________
Ed LaBonte
jebba
PostPosted: Sat Jul 15, 2006 4:30 pm    Post subject: Reply with quote

I believe this exploit targets all 2.6 kernels. If not, probably back to 2.6.8 or something.

Fedora legacy hasn't put out any new kernels yet, and I haven't seen any traffic about it on their list. If they make one for FC3, it'll automatically be in the blag repository. If they don't make one, I'll see what I can whip up after 50001 is done.

Ciao,

-Jeff

ewl
PostPosted: Sat Jul 15, 2006 4:35 pm    Post subject: Reply with quote

jebba wrote:
If they don't make one, I'll see what I can whip up after 50001 is done.


Don't go out of your way just for me. It's not a big deal. The only time I use suspend to disk is when I'm testing it to see if it works. And I assume it will be fixed eventually anyway, unless I'm the only one affected, which I doubt.


_________________
Ed LaBonte
jebba
PostPosted: Sat Jul 15, 2006 4:36 pm    Post subject: Reply with quote

Ah, I kinda meant I would whip up a kernel for 30k if fedora legacy doesn't put something out. But i really really hope they'll do it for me... ;)
jebba
PostPosted: Wed Jul 19, 2006 2:27 am    Post subject: Reply with quote

It appears that BLAG 30k & 50k are not vulnerable to the recent /proc hole since the exploit needs a.out support. Those kernels are not compiled with a.out.

Dave Jones wrote:
Additionally, this exploit only works with kernels compiled with support for a.out style executables, which Fedora isn't. I've got an update building for 2.6.17.6 anyway, just to stop the inevitable "why hasn't Fedora been patched" questions.

jebba
PostPosted: Mon Jul 24, 2006 9:10 pm    Post subject: Reply with quote

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198973#c10
Display posts from previous:   
Post new topic   Reply to topic    BLAG Forum Index -> announcements
Page 1 of 1

Protected by Anti-Spam ACP