----- Original Message ----- From: "Christian Hammers" <[EMAIL PROTECTED]> To: "Marc Demlenne" <[EMAIL PROTECTED]> Cc: "DouRiX" <[EMAIL PROTECTED]>; "Lutz Kittler" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, April 01, 2003 2:04 PM Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
[snip] > > > > What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. > > echo unexisting_binary > /proc/sys/kernel/modprobe > > > > Can we trust this solution ? > > NO, it does not prevent the exploit. > > It does prevent the km3.c example exploit but not e.g. > http://isec.pl/cliph/isec-ptrace-kmod-exploit.c > I'd have to disagree with you there. I've done this to one Debian box (3.0 running 2.2.20) and it does stop the above exploit: $ echo "/this/doesnt/exist" > /proc/sys/kernel/modprobe $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit $ ./isec-ptrace-kmod-exploit $ [+] Attached to 18765 (gets stuck here - have to use Ctrl+C) $ > You have to patch the kernel or load and compile the following module: > http://www.securiteam.com/tools/5SP082K5GK.html (no-ptrace-module.c) > The above is probably the better solution. But you can't beat patching the kernel, if it'll work - When are Debian going to release a DSA on this? :) I'm running 2.2.19 from when I upgraded from 2.2r2 and can't apt-get the kernel-source-2.2.19 and same for 2.2.20. Most annoying. I don't want to upgrade to 2.4.x yet. If I could get the source for 2.2.19 or 2.2.20 from Debian then I could copy the configuration file from /boot as .config and then just apply the kernel patch and "make oldconfig" without having to re-do the config again. Downloading the source from kernel.org and trying to use the config in /boot has 'new features' and things. (I'm not too confident at compiling the kernel and the default Debian one is fine!). Regards, David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
