Re: ptrace fix in 2.4

Hi, first let me thank you very much for answering my question! It´s just the special ptrace-bug situation, that makes me dive deeper into these things I usually do not touch, so I am really happy with someone giving me some hints! >However, it seems easier to start from the other direct

Re: ptrace fix in 2.4

On Mon, May 12, 2003 at 03:10:05AM +0200, Peter Holm wrote: > On Fri, 09 May 2003 14:10:05 +0200, in linux.debian.security you > wrote: > > >Yesterday Bernhard Kaindl committed a cleanup patch addressing > >numerous problems encountered with the original ptrace fix. > &

Re: ptrace fix in 2.4

On Fri, 09 May 2003 14:10:05 +0200, in linux.debian.security you wrote: >Yesterday Bernhard Kaindl committed a cleanup patch addressing >numerous problems encountered with the original ptrace fix. >Now it should be in -rc2. For more information and diffs, see Could please someone in

ptrace fix in 2.4

Hi - Yesterday Bernhard Kaindl committed a cleanup patch addressing numerous problems encountered with the original ptrace fix. Now it should be in -rc2. For more information and diffs, see http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]|[EMAIL PROTECTED] and http://linux.bkbits.net

Re: ptrace patch for vanilla kernel 2.4.20

http://sinuspl.net/ptrace/ > > I had no problems. > > Greetz > > Konstantin Filtschew > > > - Original Message - > From: "Adam ENDRODI" <[EMAIL PROTECTED]> > To: "debian-security" > Sent: Wednesday, April 23, 2003 7:59

Re: Kernel ptrace Hole - Fix For ppc ?

which defeats part of grsec, but not the more important issues with this kernel (ptrace) possibly (anyone know for sure?). have you been able to compile a kernel with a more recent benh, like ben10, and grsec 1.9.9f (IIRC)? i may not apply a benh patch, since i'm running an older powermac (7500),

Re: Kernel ptrace Hole - Fix For i386 ?

Are these patched kernels available for i386 too? Can someone post the link please? > i'm running ben's kernels with grsec no problem, there might have > been one or two small rejects, but nothing major. currently i'm at > 2.4.20-ben8 with grsecurity 1.9.9c, i think its c, maybe d. on i386 > grs

Re: ptrace patch for vanilla kernel 2.4.20

this one worked fine for me: http://sinuspl.net/ptrace/ I had no problems. Greetz Konstantin Filtschew - Original Message - From: "Adam ENDRODI" <[EMAIL PROTECTED]> To: "debian-security" Sent: Wednesday, April 23, 2003 7:59 AM Subject: Re: ptrace patch

Re: Kernel ptrace Hole - Fix For i386 ?

On 2003/04/23 04:20:16AM +, Wed, simon raven wrote: > btw, anyone know if PPC kernels have had the grsec patch apply cleanly > to mainline kernel.org source? as i use xfs fs, the patching is rather > extensive, and i haven't had much luck with it. i spent more than a week > trying to compile a

Re: ptrace patch for vanilla kernel 2.4.20

On Wed, Apr 23, 2003 at 09:35:32AM +0200, Alexander Schmehl wrote: > > * Adam ENDRODI <[EMAIL PROTECTED]> [030423 07:59]: > > > > http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html > > > http://sinuspl.net/ptrace/ > > Can you tell me whethe

Re: ptrace patch for vanilla kernel 2.4.20

Good morning, * Adam ENDRODI <[EMAIL PROTECTED]> [030423 07:59]: > > http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html > > http://sinuspl.net/ptrace/ > Can you tell me whether these patches are the ones which were > known to break something? I didn

Re: ptrace patch for vanilla kernel 2.4.20

/hypermail/linux/kernel/0303.2/0226.html > > http://sinuspl.net/ptrace/ Can you tell me whether these patches are the ones which were known to break something? bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul

Re: Kernel ptrace Hole - Fix For i386 ?

heir Woody i386 > > systems. > > By "vanilla", do you mean the "Linus kernel" from kernel.org? If so, > the fix was incorporated into 2.4.21-pre6... 2.4.20 wasn't updated. i don't know exactly what you mean by fixed, but the ptrace fix was backported all the wa

Re: ptrace patch for vanilla kernel 2.4.20

* Konstantin <[EMAIL PROTECTED]> [030422 23:03]: > can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me > an adress I can leech it from. http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html http://sinuspl.net/ptrace/ cu Alex -- PGP key on de

ptrace patch for vanilla kernel 2.4.20

hi, can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me an adress I can leech it from. thx for help Fallen_Angel

Re: own kernel vs debian kernel (was: ptrace exploit)

On Thu, Apr 17, 2003 at 03:05:13AM +0200, Filippo Carone wrote: > What you say here may lead to confusion. A monolithic kernel doesn't > give you added security toward a modular kernel. To make the kernel a > little bit more secure I'd use grsecurity (ie to prevent code injection, > syscall hijack

Re: own kernel vs debian kernel (was: ptrace exploit)

On Thu, Apr 17, 2003 at 11:09:33AM +0200, Gergely Trifonov wrote: > the linux kernel IS monolithic no matter if you enable loadable modules or > not. if you > use modules, it doesn't change the basic structure of the kernel (it is > monolithic by design). i think disabling modules on a secure ma

RE: own kernel vs debian kernel (was: ptrace exploit)

9 114 !Please install IND CA Certificate as TRUSTED CA! https://www.indweb.hu/IND.crt -Original Message- From: Filippo Carone [mailto:[EMAIL PROTECTED] Sent: Thursday, April 17, 2003 3:05 AM To: debian-security@lists.debian.org Subject: Re: own kernel vs debian kernel

Re: own kernel vs debian kernel (was: ptrace exploit)

* Dale Amon ([EMAIL PROTECTED]) ha scritto: > I roll my own; nomodules for servers or secure machines, modules for > non-secure workstations. Configure them to the specific minimum requirements > of the particular use and not one option more. What you say here may lead to confusion. A monolithic

Re: Kernel ptrace Hole - Fix For i386 ?

what I meant - thanks for that info. Thanks also > to a private email I've been advised that patched Debian versions of > 2.4.20 do exist in the main archive pool directories, so I guess the > wheels of a release are turning. > > Sorry everybody - I didn't notice that the sa

Re: Kernel ptrace Hole - Fix For i386 ?

Debian versions of 2.4.20 do exist in the main archive pool directories, so I guess the wheels of a release are turning. Sorry everybody - I didn't notice that the same question got asked 3 days ago ("ptrace exploit"). Nick Boyce Bristol, UK -- Remember: If brute force doesn't work, you're just not using enough.

Re: Kernel ptrace Hole - Fix For i386 ?

On Tue, Apr 15, 2003 at 12:46:38AM +0100, Nick Boyce wrote: > The fix is in vanilla kernel 2.4.20 as I understand it, and it sounds > like some people here are downloading that source for their Woody i386 > systems. By "vanilla", do you mean the "Linus kernel" from kernel.org? If so, the fix was

Kernel ptrace Hole - Fix For i386 ?

I'm wondering whether I've missed some announcement about a fixed 2.4.x package for this for i386 architecture. We've had DSAs 270 and 276 providing the fixes for Mips and S390 systems, and lots of discussion here about how to protect against the exploit *instead* of having a fix ... and it's been

Re: ptrace exploit

Maurizio Lemmo - Tannoiser wrote: On sabato 12 aprile 2003, alle 16:48, Markus Kolb wrote: Nono, that's not what I'm asking... My question is, literally, _why_ doesn't woody have such a patch? (I applied it on my systems, I'm just wondering why there isn't an official patch for this (Official f

Re: ptrace exploit

On sabato 12 aprile 2003, alle 16:48, Markus Kolb wrote: > >Nono, that's not what I'm asking... My question is, literally, _why_ > >doesn't woody have such a patch? (I applied it on my systems, I'm just > >wondering why there isn't an official patch for this (Official for > >Debian). > > Perhaps,

Re: own kernel vs debian kernel (was: ptrace exploit)

On Sat, Apr 12, 2003 at 06:13:51PM +0200, Luis Gomez wrote: > On S?bado, 12 de Abril de 2003 14:35, Dale Amon wrote: > > I usually build on a different machine than the target one as servers > > or firewalls usually don't need gcc and such, which I remove from them > > where possible. > > In machi

Re: own kernel vs debian kernel (was: ptrace exploit)

On Sábado, 12 de Abril de 2003 14:35, Dale Amon wrote: > I usually build on a different machine than the target one as servers > or firewalls usually don't need gcc and such, which I remove from them > where possible. In machines where you don't need modules, I guess you just compile and then cop

Re: ptrace exploit

Birzan George Cristian wrote: On Sat, Apr 12, 2003 at 10:52:47AM +0200, Maurizio Lemmo - Tannoiser wrote: On sabato 12 aprile 2003, alle 06:45, Birzan George Cristian wrote: This might be a stupid question, I know, but, why isn't there a patch for the ptrace exploit, for the Woody k

Re: own kernel vs debian kernel (was: ptrace exploit)

On Sat, Apr 12, 2003 at 10:55:29AM +0200, Luis Gomez wrote: > So my question is: what is the approach people take for this point? Do you, > sysadmins with lots of machines, apt-get install kernel-source, or do you > rather get an official kernel? What pros and cons has each of these points? > Am

Re: ptrace exploit

On Sat, Apr 12, 2003 at 10:52:47AM +0200, Maurizio Lemmo - Tannoiser wrote: > On sabato 12 aprile 2003, alle 06:45, Birzan George Cristian wrote: > > This might be a stupid question, I know, but, why isn't there a patch > > for the ptrace exploit, for the Woody kernel-source?

Re: own kernel vs debian kernel (was: ptrace exploit)

The only problem I run into is my machines with more then a gig of ram... The apt-get kernel works on pretty much everything, but that ram thing always gets me ;) On Sat, 12 Apr 2003, Luis Gomez wrote: > On S?bado, 12 de Abril de 2003 05:45, Birzan George Cristian wrote: > > This might be a

Re: own kernel vs debian kernel (was: ptrace exploit)

]>; Sent: Saturday, April 12, 2003 11:55 AM Subject: own kernel vs debian kernel (was: ptrace exploit) On Sábado, 12 de Abril de 2003 05:45, Birzan George Cristian wrote: > This might be a stupid question Hi all... let me ask another (probably) stupid question I've thought abo

own kernel vs debian kernel (was: ptrace exploit)

On Sábado, 12 de Abril de 2003 05:45, Birzan George Cristian wrote: > This might be a stupid question Hi all... let me ask another (probably) stupid question I've thought about for a long time. I always try to use precompiled software as much as possible, software coming from the official debia

Re: ptrace exploit

On sabato 12 aprile 2003, alle 06:45, Birzan George Cristian wrote: > This might be a stupid question, I know, but, why isn't there a patch > for the ptrace exploit, for the Woody kernel-source? I'll backport the patch for the same reason (realibility of 2.4.18). The people tha

ptrace exploit

This might be a stupid question, I know, but, why isn't there a patch for the ptrace exploit, for the Woody kernel-source? There's been one for some obscure arch I can't remember right now, but not for any of the more widespread ones (well, not according to the changelogs I rea

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. In this context, I'd suggest

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. In this context, I'd suggest

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. This is true. > All you gain

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> of proportion... Some things in security _have_ to be obscure. Your > password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memo

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. This is true. > All you gain

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? No, that's stretching the defini

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> of proportion... Some things in security _have_ to be obscure. Your > password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memo

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? No, that's stretching the defini

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 01:57:10PM -0500, Phillip Hofmeister wrote: > Assuming an intruder made his way in with root privs couldn't he also > modify /dev/kmem or directly access the kernel memory by some other > means? I beleive this topic has also been discussed in the past (dig > deep into the a

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 01:57:10PM -0500, Phillip Hofmeister wrote: > Assuming an intruder made his way in with root privs couldn't he also > modify /dev/kmem or directly access the kernel memory by some other > means? I beleive this topic has also been discussed in the past (dig > deep into the a

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, 01 Apr 2003 13:57:10 EST, Phillip Hofmeister writes: >Assuming an intruder made his way in with root privs couldn't he also >modify /dev/kmem or directly access the kernel memory by some other >means? I beleive this topic has also been discussed in the past (dig >deep into the archives) an

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Dariush Pietrzak ([EMAIL PROTECTED]) wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? > Determined hacker can still relatively easily inser

anti-ptrace

Has anyone else beside me tried this anti-ptrace script? I downloaded it from packetstormsecurity.com and ran and loaded the module and it works like a charm. If anyone tries to use ptrace besides root it echo's that event to the root terminal, and denies it. Well here is a copy o

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, 01 Apr 2003 13:57:10 EST, Phillip Hofmeister writes: >Assuming an intruder made his way in with root privs couldn't he also >modify /dev/kmem or directly access the kernel memory by some other >means? I beleive this topic has also been discussed in the past (dig >deep into the archives) an

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) -

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Dariush Pietrzak ([EMAIL PROTECTED]) wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? > Determined hacker can still relatively easily inser

anti-ptrace

Has anyone else beside me tried this anti-ptrace script? I downloaded it from packetstormsecurity.com and ran and loaded the module and it works like a charm. If anyone tries to use ptrace besides root it echo's that event to the root terminal, and denies it. Well here is a copy o

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, 01 Apr 2003 at 07:49:29PM +0200, David Barroso wrote: > One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. Ahh, yea. Assuming an intruder made his way in with root privs couldn't

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

ompile with modules at all. > > > > Why? > > One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. i have an "old" kernel with modules and didn

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) -

Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 05:46:46PM +0100, David Ramsden wrote: > I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't > been patched. I can "echo '/sbin/modprobe' > /proc/sys/kernel/modprobe" and > try the above and I'l

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Marcin Owsiany ([EMAIL PROTECTED]) wrote: > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > > In a server enviroment, where there no need to load modules at run-time, > > > could be a "usable workaorund

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, 01 Apr 2003 at 07:49:29PM +0200, David Barroso wrote: > One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. Ahh, yea. Assuming an intruder made his way in with root privs couldn't

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > In a server enviroment, where there no need to load modules at run-time, > > could be a "usable workaorund", but, in a workstation machine, i don't > > think

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

modules at all. > > > > Why? > > One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. i have an "old" kernel with modules and didn't updated it, because

Re: [d-security] Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 05:46:46PM +0100, David Ramsden wrote: > I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't > been patched. I can "echo '/sbin/modprobe' > /proc/sys/kernel/modprobe" and > try the above and I'l

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Marcin Owsiany ([EMAIL PROTECTED]) wrote: > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > > In a server enviroment, where there no need to load modules at run-time, > > > could be a "usable workaorund

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

ot e.g. > > http://isec.pl/cliph/isec-ptrace-kmod-exploit.c > > I'd have to disagree with you there. > I've done this to one Debian box (3.0 running 2.2.20) and it does stop the > above exploit: > > $ echo "/this/doesnt/exist" > /proc/sys/kernel/modprobe

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > In a server enviroment, where there no need to load modules at run-time, > > could be a "usable workaorund", but, in a workstation machine, i don't > > think

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnera

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > In a server enviroment, where there no need to load modules at run-time, > could be a "usable workaorund", but, in a workstation machine, i don't > think thats a great idea. In a server environment it is preferable not t

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

ot e.g. > > http://isec.pl/cliph/isec-ptrace-kmod-exploit.c > > I'd have to disagree with you there. > I've done this to one Debian box (3.0 running 2.2.20) and it does stop the > above exploit: > > $ echo "/this/doesnt/exist" > /proc/sys/kernel/modprobe

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "Marc Demlenne" <[EMAIL PROTECTED]> Cc: "DouRiX" <[EMAIL PROTECTED]>; "Lutz Kittler" <[EMAIL PROTECTED]>; Sent: Tuesday, April 01, 2003 2:04 PM Subject:

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On martedì 01 aprile 2003, alle 14:20, DouRiX wrote: > but isn't there a trick to surpass the bug while waiting for debian > updates ? Actually, yes. But i'm not really sure if it's a "good" workaorund. Anyway: if you disable automatic loading module (a kernel feature), you may ignore this vuln

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

/kernel/modprobe > > Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c You have to patch the kernel or load and compile the following module: http://www.securit

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > In a server enviroment, where there no need to load modules at run-time, > could be a "usable workaorund", but, in a workstation machine, i don't > think thats a great idea. In a server environment it is preferable not t

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Quoting Marc Demlenne ([EMAIL PROTECTED]): > echo unexisting_binary > /proc/sys/kernel/modprobe > > Can we trust this solution ? > What's the effect ? You can't dynamically load and unload modules anymore. If you load all the modules you need before doing it, you're fine. > It seems to work

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> > but isn't there a trick to surpass the bug while waiting for debian > updates ? > > or won't be there a 2.4.18 update ? :) > You can disable autoloading for kernel modules: echo "x" > /proc/sys/kernel/modprobe . lutz

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> but isn't there a trick to surpass the bug while waiting for debian > updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary > /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? It seems to work fine, and to block t

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "Marc Demlenne" <[EMAIL PROTECTED]> Cc: "DouRiX" <[EMAIL PROTECTED]>; "Lutz Kittler" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, Apri

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On martedì 01 aprile 2003, alle 14:20, DouRiX wrote: > but isn't there a trick to surpass the bug while waiting for debian > updates ? Actually, yes. But i'm not really sure if it's a "good" workaorund. Anyway: if you disable automatic loading module (a kernel feature), you may ignore this vuln

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Maurizio Lemmo - Tannoiser wrote: On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: Does someone know where is debian about this issue ? <http://lwn.net/Articles/25669/> i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i&#x

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

/kernel/modprobe > > Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c You have to patch the kernel or load and compile the following module: http://www.securit

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

* Quoting Marc Demlenne ([EMAIL PROTECTED]): > echo unexisting_binary > /proc/sys/kernel/modprobe > > Can we trust this solution ? > What's the effect ? You can't dynamically load and unload modules anymore. If you load all the modules you need before doing it, you're fine. > It seems to work

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> > but isn't there a trick to surpass the bug while waiting for debian > updates ? > > or won't be there a 2.4.18 update ? :) > You can disable autoloading for kernel modules: echo "x" > /proc/sys/kernel/modprobe . lutz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "u

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

> but isn't there a trick to surpass the bug while waiting for debian > updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary > /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? It seems to work fine, and to block t

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Maurizio Lemmo - Tannoiser wrote: On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: Does someone know where is debian about this issue ? <http://lwn.net/Articles/25669/> i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: > Does someone know where is debian about this issue ? > > <http://lwn.net/Articles/25669/> i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported that pa

[Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Hi everybody, Does someone know where is debian about this issue ? I see that there is already an update but only for mips (http://www.debian.org/security/2003/dsa-270), do you know why ? Thanks in advance, -- DouRiX ["Don't fear, Just play

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote: > Does someone know where is debian about this issue ? > > <http://lwn.net/Articles/25669/> i've noticed that there kernel 2.4.20 with ptrace patch included, in proposed-update. For my puorpose, i've backported that pa

[Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

Hi everybody, Does someone know where is debian about this issue ? I see that there is already an update but only for mips (http://www.debian.org/security/2003/dsa-270), do you know why ? Thanks in advance, -- DouRiX ["Don't fear, Just play th

Re: ptrace

If you compiled and ran the resulting binary before upgrading your kernel, the isec-ptrace-kmod-exploit binary may already be set[ug]id, which is a side effect of running it. Make sure it's not +s and/or g+s, or better yet just remove it and recompile it. --- LeVA <[EMAIL PROTECTED

Re: ptrace

If you compiled and ran the resulting binary before upgrading your kernel, the isec-ptrace-kmod-exploit binary may already be set[ug]id, which is a side effect of running it. Make sure it's not +s and/or g+s, or better yet just remove it and recompile it. --- LeVA <[EMAIL PROTECTED

Re: [despammed] ptrace

Hello! Thanks, that was the problem. The patch works fine. Ed McMan wrote: Saturday, March 22, 2003, 8:26:44 PM, debian-security@lists.debian.org (debian-security) wrote: LeVA> So it droped me a root shell. Well it is not good I think, after the LeVA> patch... People have been saying that

Re: [despammed] ptrace

Hello! Thanks, that was the problem. The patch works fine. Ed McMan wrote: Saturday, March 22, 2003, 8:26:44 PM, [EMAIL PROTECTED] (debian-security) wrote: LeVA> So it droped me a root shell. Well it is not good I think, after the LeVA> patch... People have been saying that one of the exploits

Re: PTRACE Fixed?

On Sat, Mar 22, 2003 at 10:58:24AM -0800, Jon wrote: > On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: > > Jon wrote: > > > > [...] > > > > >> > > >>Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > > >> > >

Re: PTRACE Fixed?

On Sat, Mar 22, 2003 at 10:58:24AM -0800, Jon wrote: > On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: > > Jon wrote: > > > > [...] > > > > >> > > >>Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]> > > >> > >

Re: Patch fot ptrace is good but ....

Le Sunday 23 March 2003 05:01, Guille -bisho- a écrit : > >Thus no problem, the patch functions ,-) > > > >But so now I launch the same exploit but to compile and use before > > levelling of the kernel : > > > >[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compili

Re: Patch fot ptrace is good but ....

Le Sunday 23 March 2003 05:01, Guille -bisho- a écrit : > >Thus no problem, the patch functions ,-) > > > >But so now I launch the same exploit but to compile and use before > > levelling of the kernel : > > > >[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compili

Re: Patch fot ptrace is good but ....

>Thus no problem, the patch functions ,-) > >But so now I launch the same exploit but to compile and use before levelling >of the kernel : > >[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling >[EMAIL PROTECTED]:~/ptrace# id >uid=0(root) gid=0(root) groupes=0(root) >

Re: ptrace

On Sun, 23 Mar 2003 at 02:26:44AM +0100, LeVA wrote: > Hello! > > I have patched my kernel (2.4.20) with this patch: > http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt > It compile correctly. > Now I have downloaded the km3.c and isec-ptrace-kmod-exp

Re: [despammed] ptrace

Saturday, March 22, 2003, 8:26:44 PM, debian-security@lists.debian.org (debian-security) wrote: LeVA> So it droped me a root shell. Well it is not good I think, after the LeVA> patch... People have been saying that one of the exploits gives itself suid root after working sucessfully, so try del

Patch fot ptrace is good but ....

Hello my kernel is to compile, no error ,-) I to compile the exploit isec-ptrace-kmod-exploit.c I launch it [EMAIL PROTECTED]:~/ptrace$ ./ptrace-after-compiling [-] Unable to attach: Operation not permitted Processus arrêté Thus no problem, the patch functions ,-) But so now I launch the

Re: Patch fot ptrace is good but ....

>Thus no problem, the patch functions ,-) > >But so now I launch the same exploit but to compile and use before levelling >of the kernel : > >[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling >[EMAIL PROTECTED]:~/ptrace# id >uid=0(root) gid=0(root) groupes=0(root) >

  1   2   3   >