----- Original Message ----- From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: <debian-security@lists.debian.org> Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
[snip] > > Can it be that you had loaded no-ptrace-module.o or someone patched your > kernel? See: > [snip] It's the 2.2.20 kernel from Debian (did an apt-get install of the .deb kernel-image package). I then did: echo '/this/doesnt/exist' > /proc/sys/kernel/modprobe And tried what you did Christian. See below: $ uname -r 2.2.20 $ gcc ptrace-kmod.c -o ptrace-kmod $ ls -al ptrace-kmod* -rwxr-xr-x 1 scarlet scarlet 9028 Apr 1 17:40 ptrace-kmod -rw-r--r-- 1 scarlet scarlet 3736 Apr 1 17:37 ptrace-kmod.c $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ ./ptrace-kmod [-] Unable to attach: Operation not permitted Killed $ ./ptrace-kmod $ ./ptrace-kmod [+] Attached to 25763 $ ./ptrace-kmod [+] Attached to 25770 $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ cat /proc/sys/kernel/modprobe /this/doesnt/exist $ I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't been patched. I can "echo '/sbin/modprobe' > /proc/sys/kernel/modprobe" and try the above and I'll get a root prompt first time. Maybe it doesn't work for the 2.4.x kernel series? Can anyone else try this maybe and report back :-) Cheers. David.
