Nick Boyce wrote:
> On Friday 21 Mar 2003 2:01 pm, Martin Schulze wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > -
> >- Debian Security Advisory DSA 265-1
> > [EMAIL PROTECTED] http://w
On Fri, 2003-03-21 at 17:43, Phillip Hofmeister wrote:
> When I run it as root it does the following:
>
> Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]>
>
> => Simple mode, executing /usr/bin/id > /dev/tty
> sizeof(shellcode)=95
> => Child process started..
> => Child proce
Hello!
Is the 2.4.20 kernel vulnerable to this exploit?
Phillip Hofmeister wrote:
All,
I just patched my kernel with the patch available on kernel.org. I
downloaded, compiled and ran the km3.c exploit for this bug. How can I
tell if the exploit failed or not? When I run the exploit as non-r
Hi, first of all sorry my poor English I'll try my best.
I have the following scheme in my lab:
INTERNET --- firewall --- local network
I have real ip's for all computers in the lab, so I don't need nat,
but I don't know how to set this and can't find any documentation
how to build a firewall f
On Sat, 22 Mar 2003 06:24:02 -0300
Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote:
> Hi, first of all sorry my poor English I'll try my best.
>
> I have the following scheme in my lab:
>
> INTERNET --- firewall --- local network
>
> I have real ip's for all computers in the lab, so I don't need
Arnt some ICMP packets best to allow for effective routing and such?
Josh Carroll wrote:
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
suff
Hi,
I finally decided to invest some time into SELinux, having run it in
permissive/useless mode for months now. While trying to come up with
the right policy changes to make my system still work I stumbled upon
a few things.
How to handle daemons that drop root? Is it ok to allow their domain
se
Jon wrote:
[...]
Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]>
=> Simple mode, executing /usr/bin/id > /dev/tty
sizeof(shellcode)=95
=> Child process started..
=> Child process started..
[...]
Does this mean the patch I downloaded worked?
Yes.
- Jon
M
hi all
I have a similar problem after compiling a new kernel with
kernel-source-2.4.20_2.4.20-3woody.3_all.deb
The output of ps has change and doesn't output the full-path
of a prozess anymore.
like this:
sid 2.4.20 build with source from kernel.org
(ptrace bug unpatch)
or any other woody 2.4.1
Dnia sob 22. marzec 2003 10:03, LeVA napisał:
> Hello!
>
> Is the 2.4.20 kernel vulnerable to this exploit?
yes
This is more than an exploit. It is marvellous and smartness.
Thank god we know the bug now!
On Fri, Mar 21, 2003 at 09:18:42AM +0100, Yndy wrote:
> Hi all!
>
> http://isec.pl/cliph/isec-ptrace-kmod-exploit.c
>
> Yndy
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject
On Sat, 22 Mar 2003 at 10:03:38AM +0100, LeVA wrote:
> Hello!
>
> Is the 2.4.20 kernel vulnerable to this exploit?
Since there is a patch explicitly written for it on kernel.org I would
suppose it is...
Hello,
Were I can find a patch for the PTrace bug ?
Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;)
thanks
- Original Message -
From: "Jacek Sobczak" <[EMAIL PROTECTED]>
To: "Debian Security"
Sent: Saturday, March 22, 2003 5:15 PM
Subject: Re: PTRACE Fixed?
Dni
http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt
The patch is for 2.2.24 or 2.4.20. I tried applying it on 2.4.18 but
the patch seems to barf :)
On Sat, 22 Mar 2003 at 05:49:55PM +0100, Laurent Tickle wrote:
> Hello,
>
> Were I can find a patch for the PTrace bug ?
> Bec
Would you share your opinions on the following setup for daemons?
firewall runs
whois server - gwhois or jwhois?
iptables - firewall
forwards-to/NAT-from internal smtp server
NAT outgoing DNS for internal bind9 server
bind9 - for extern
On Sat, Mar 22, 2003 at 05:49:55PM +0100, Laurent Tickle wrote:
> Hello,
>
> Were I can find a patch for the PTrace bug ?
> Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;)
Well for 2.2.x Alan Cox released 2.2.25 wich includes only the ptrace patch.
For 2.4.x several patches
In the past few days I have noticed a jump in scans on my Apache box. Is
this just a fluke or is something brewing ?
03/22/2003 08:01:53.224 - Possible Port Scan - Source:212.32.4.26, 43280,
WAN - Destination:209.113.151.5, 5121, LAN - TCP scanned port list, 81, 81,
3128, 3128, 4480
03/22/2003 0
On Sat, 2003-03-22 at 04:43, Markus Kolb wrote:
> Jon wrote:
>
> [...]
>
> >>
> >>Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]>
> >>
> >>=> Simple mode, executing /usr/bin/id > /dev/tty
> >>sizeof(shellcode)=95
> >>=> Child process started..
> >>=> Child process started...
On Sat, 22 Mar 2003 17:49:55 +0100
"Laurent Tickle" <[EMAIL PROTECTED]> wrote:
>
> [...] patch for the PTrace bug ?
>
Here you'll find a kernel source tree patched against the PTrace bug:
ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-source-2.4.20_2.4.20-3woody.3_all.deb
>
On Sat Mar 22, 12:01pm -0600, Hanasaki JiJi wrote:
> firewall runs
> whois server - gwhois or jwhois?
No comment, I don't run any WHOIS servers.
> iptables - firewall
iptables is fine, if you set it up properly.
> bind9 - for external dns
>
Also fine, if you se
anyone experienced the same ?
I got this :(
i386_ksyms.c:70: `kernel_thread' undeclared here (not in a function)
i386_ksyms.c:70: initializer element is not constant
i386_ksyms.c:70: (near initialization for `__ksymtab_kernel_thread.value')
make[2]: *** [i386_ksyms.o] Error 1
make[2]: Leaving dir
hi ya
gazillion different solutions for "secure topologies" that
depends on time, and machines available, skillset and
what you're protecting against
c ya
alvin
-- you need backups ... :-)
-- disallow insecure services even behind the firewall
( telnet, ftp, pop3/imap, dhcp, wirel
---Haim Ashkenazi wrote:
> On Sat, 22 Mar 2003 06:24:02 -0300
> Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote:
>
> > Hi, first of all sorry my poor English I'll try my best.
> >
> > I have the following scheme in my lab:
> >
> > INTERNET --- firewall --- local network
> >
> > I have rea
Thanks, but I have updated my Kernel to 2.2.25 + patch and the bug don't
seem to work.
- Original Message -
From: "Matteo Moro" <[EMAIL PROTECTED]>
To:
Sent: Saturday, March 22, 2003 8:11 PM
Subject: Re: PTRACE Fixed?
> On Sat, 22 Mar 2003 17:49:55 +0100
> "Laurent Tickle" <[EMAIL PROTE
* Matteo Moro <[EMAIL PROTECTED]> wrote:
> "Laurent Tickle" <[EMAIL PROTECTED]> wrote:
> > [...] a patch who work on Kernel 2.2.X and 2.4.X ;)
>
> It's 2.4.20 only... :-P
That bug was the reason why 2.2.25 was released.
Hi,
Here you'll find a kernel source tree patched against the PTrace bug:
ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc
e-2.4.20_2.4.20-3woody.3_all.deb
I always install my kernel-sources by hand, but out of curiosity, could I
get this by means of apt?
# apt-cach
Saturday, March 22, 2003, 7:04:19 PM, Siegbert Baude (Siegbert) wrote:
>> Here you'll find a kernel source tree patched against the PTrace bug:
>> ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc
>> e-2.4.20_2.4.20-3woody.3_all.deb
Siegbert> I always install my kernel-sou
Hello!
I have patched my kernel (2.4.20) with this patch:
http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt
It compile correctly.
Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c
The km3.c doesn't write the OK! stuff, and it could run forever starting
child
Hello my kernel is to compile, no error ,-)
I to compile the exploit isec-ptrace-kmod-exploit.c
I launch it
[EMAIL PROTECTED]:~/ptrace$ ./ptrace-after-compiling
[-] Unable to attach: Operation not permitted
Processus arrêté
Thus no problem, the patch functions ,-)
But so now I launch the same
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Viernes, 21 de Marzo de 2003 03:41, Dale Amon wrote:
> chkrootkit finds this file:
>
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/tiger/bin/.bintype
>
> which appears to be quite old. Is this just a leftover
> from a
Saturday, March 22, 2003, 8:26:44 PM, debian-security@lists.debian.org
(debian-security) wrote:
LeVA> So it droped me a root shell. Well it is not good I think, after the
LeVA> patch...
People have been saying that one of the exploits gives itself suid
root after working sucessfully, so try del
On Sun, 23 Mar 2003 at 02:26:44AM +0100, LeVA wrote:
> Hello!
>
> I have patched my kernel (2.4.20) with this patch:
> http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt
> It compile correctly.
> Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c
> The km3.c does
>Thus no problem, the patch functions ,-)
>
>But so now I launch the same exploit but to compile and use before levelling
>of the kernel :
>
>[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling
>[EMAIL PROTECTED]:~/ptrace# id
>uid=0(root) gid=0(root) groupes=0(root)
>[EMAIL PROTECTED]:~/ptrace#
On Fri, 2003-03-21 at 17:43, Phillip Hofmeister wrote:
> When I run it as root it does the following:
>
> Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]>
>
> => Simple mode, executing /usr/bin/id > /dev/tty
> sizeof(shellcode)=95
> => Child process started..
> => Child proce
Hello!
Is the 2.4.20 kernel vulnerable to this exploit?
Phillip Hofmeister wrote:
All,
I just patched my kernel with the patch available on kernel.org. I
downloaded, compiled and ran the km3.c exploit for this bug. How can I
tell if the exploit failed or not? When I run the exploit as non-roo
Hi, first of all sorry my poor English I'll try my best.
I have the following scheme in my lab:
INTERNET --- firewall --- local network
I have real ip's for all computers in the lab, so I don't need nat,
but I don't know how to set this and can't find any documentation
how to build a firewall f
On Sat, 22 Mar 2003 06:24:02 -0300
Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote:
> Hi, first of all sorry my poor English I'll try my best.
>
> I have the following scheme in my lab:
>
> INTERNET --- firewall --- local network
>
> I have real ip's for all computers in the lab, so I don't need
Arnt some ICMP packets best to allow for effective routing and such?
Josh Carroll wrote:
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
suffic
Hi,
I finally decided to invest some time into SELinux, having run it in
permissive/useless mode for months now. While trying to come up with
the right policy changes to make my system still work I stumbled upon
a few things.
How to handle daemons that drop root? Is it ok to allow their domain
se
Jon wrote:
[...]
Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]>
=> Simple mode, executing /usr/bin/id > /dev/tty
sizeof(shellcode)=95
=> Child process started..
=> Child process started..
[...]
Does this mean the patch I downloaded worked?
Yes.
- Jon
Mmh, well,
hi all
I have a similar problem after compiling a new kernel with
kernel-source-2.4.20_2.4.20-3woody.3_all.deb
The output of ps has change and doesn't output the full-path
of a prozess anymore.
like this:
sid 2.4.20 build with source from kernel.org
(ptrace bug unpatch)
or any other woody 2.4.1
Dnia sob 22. marzec 2003 10:03, LeVA napisał:
> Hello!
>
> Is the 2.4.20 kernel vulnerable to this exploit?
yes
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
This is more than an exploit. It is marvellous and smartness.
Thank god we know the bug now!
On Fri, Mar 21, 2003 at 09:18:42AM +0100, Yndy wrote:
> Hi all!
>
> http://isec.pl/cliph/isec-ptrace-kmod-exploit.c
>
> Yndy
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject
On Sat, 22 Mar 2003 at 10:03:38AM +0100, LeVA wrote:
> Hello!
>
> Is the 2.4.20 kernel vulnerable to this exploit?
Since there is a patch explicitly written for it on kernel.org I would
suppose it is...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Con
Hello,
Were I can find a patch for the PTrace bug ?
Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;)
thanks
- Original Message -
From: "Jacek Sobczak" <[EMAIL PROTECTED]>
To: "Debian Security" <[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 5:15 PM
Subject: Re:
http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt
The patch is for 2.2.24 or 2.4.20. I tried applying it on 2.4.18 but
the patch seems to barf :)
On Sat, 22 Mar 2003 at 05:49:55PM +0100, Laurent Tickle wrote:
> Hello,
>
> Were I can find a patch for the PTrace bug ?
> Bec
Would you share your opinions on the following setup for daemons?
firewall runs
whois server - gwhois or jwhois?
iptables - firewall
forwards-to/NAT-from internal smtp server
NAT outgoing DNS for internal bind9 server
bind9 - for external dns
On Sat, Mar 22, 2003 at 05:49:55PM +0100, Laurent Tickle wrote:
> Hello,
>
> Were I can find a patch for the PTrace bug ?
> Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;)
Well for 2.2.x Alan Cox released 2.2.25 wich includes only the ptrace patch.
For 2.4.x several patches
In the past few days I have noticed a jump in scans on my Apache box. Is
this just a fluke or is something brewing ?
03/22/2003 08:01:53.224 - Possible Port Scan - Source:212.32.4.26, 43280,
WAN - Destination:209.113.151.5, 5121, LAN - TCP scanned port list, 81, 81,
3128, 3128, 4480
03/22/2003 0
On Sat, 2003-03-22 at 04:43, Markus Kolb wrote:
> Jon wrote:
>
> [...]
>
> >>
> >>Linux kmod + ptrace local root exploit by <[EMAIL PROTECTED]>
> >>
> >>=> Simple mode, executing /usr/bin/id > /dev/tty
> >>sizeof(shellcode)=95
> >>=> Child process started..
> >>=> Child process started...
On Sat, 22 Mar 2003 17:49:55 +0100
"Laurent Tickle" <[EMAIL PROTECTED]> wrote:
>
> [...] patch for the PTrace bug ?
>
Here you'll find a kernel source tree patched against the PTrace bug:
ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-source-2.4.20_2.4.20-3woody.3_all.deb
>
On Sat Mar 22, 12:01pm -0600, Hanasaki JiJi wrote:
> firewall runs
> whois server - gwhois or jwhois?
No comment, I don't run any WHOIS servers.
> iptables - firewall
iptables is fine, if you set it up properly.
> bind9 - for external dns
>
Also fine, if you se
anyone experienced the same ?
I got this :(
i386_ksyms.c:70: `kernel_thread' undeclared here (not in a function)
i386_ksyms.c:70: initializer element is not constant
i386_ksyms.c:70: (near initialization for `__ksymtab_kernel_thread.value')
make[2]: *** [i386_ksyms.o] Error 1
make[2]: Leaving dir
hi ya
gazillion different solutions for "secure topologies" that
depends on time, and machines available, skillset and
what you're protecting against
c ya
alvin
-- you need backups ... :-)
-- disallow insecure services even behind the firewall
( telnet, ftp, pop3/imap, dhcp, wirel
---Haim Ashkenazi wrote:
> On Sat, 22 Mar 2003 06:24:02 -0300
> Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote:
>
> > Hi, first of all sorry my poor English I'll try my best.
> >
> > I have the following scheme in my lab:
> >
> > INTERNET --- firewall --- local network
> >
> > I have rea
Thanks, but I have updated my Kernel to 2.2.25 + patch and the bug don't
seem to work.
- Original Message -
From: "Matteo Moro" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 8:11 PM
Subject: Re: PTRACE Fixed?
> On Sat, 22 Mar 2003 17:49:55 +0100
> "Laurent Ti
* Matteo Moro <[EMAIL PROTECTED]> wrote:
> "Laurent Tickle" <[EMAIL PROTECTED]> wrote:
> > [...] a patch who work on Kernel 2.2.X and 2.4.X ;)
>
> It's 2.4.20 only... :-P
That bug was the reason why 2.2.25 was released.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscrib
Hi,
Here you'll find a kernel source tree patched against the PTrace bug:
ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc
e-2.4.20_2.4.20-3woody.3_all.deb
I always install my kernel-sources by hand, but out of curiosity, could I
get this by means of apt?
# apt-cache sea
Saturday, March 22, 2003, 7:04:19 PM, Siegbert Baude (Siegbert) wrote:
>> Here you'll find a kernel source tree patched against the PTrace bug:
>> ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc
>> e-2.4.20_2.4.20-3woody.3_all.deb
Siegbert> I always install my kernel-sou
Hello!
I have patched my kernel (2.4.20) with this patch:
http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt
It compile correctly.
Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c
The km3.c doesn't write the OK! stuff, and it could run forever starting
child p
Hello my kernel is to compile, no error ,-)
I to compile the exploit isec-ptrace-kmod-exploit.c
I launch it
[EMAIL PROTECTED]:~/ptrace$ ./ptrace-after-compiling
[-] Unable to attach: Operation not permitted
Processus arrêté
Thus no problem, the patch functions ,-)
But so now I launch the same
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Viernes, 21 de Marzo de 2003 03:41, Dale Amon wrote:
> chkrootkit finds this file:
>
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/tiger/bin/.bintype
>
> which appears to be quite old. Is this just a leftover
> from a
Saturday, March 22, 2003, 8:26:44 PM, [EMAIL PROTECTED] (debian-security) wrote:
LeVA> So it droped me a root shell. Well it is not good I think, after the
LeVA> patch...
People have been saying that one of the exploits gives itself suid
root after working sucessfully, so try deleting the execut
On Sun, 23 Mar 2003 at 02:26:44AM +0100, LeVA wrote:
> Hello!
>
> I have patched my kernel (2.4.20) with this patch:
> http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt
> It compile correctly.
> Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c
> The km3.c does
>Thus no problem, the patch functions ,-)
>
>But so now I launch the same exploit but to compile and use before levelling
>of the kernel :
>
>[EMAIL PROTECTED]:~/ptrace$ ./ptrace-before-compiling
>[EMAIL PROTECTED]:~/ptrace# id
>uid=0(root) gid=0(root) groupes=0(root)
>[EMAIL PROTECTED]:~/ptrace#
65 matches
Mail list logo
