This is a discussion on Bug#458251: prctl exploit works on kernel 126.96.36.199 - Debian ; tag 458251 + unreproducible tag 458251 + moreinfo thanks On Sat, Dec 29, 2007 at 10:58:59PM +0200, Lex wrote: > Package: linux-image > Version: 188.8.131.52 > Tags: security > > Hello. > I'm running debian etch server. kernel 184.108.40.206, libc6_2.3.6.ds1-13etch2 ...
tag 458251 + unreproducible
tag 458251 + moreinfo
On Sat, Dec 29, 2007 at 10:58:59PM +0200, Lex wrote:
> Package: linux-image
> Version: 220.127.116.11
> Tags: security
> I'm running debian etch server. kernel 18.104.22.168, libc6_2.3.6.ds1-13etch2
> updated by aptitude yesterday.
The string '22.214.171.124' doesn't correspond to any Debian kernel
version. See this page for information on how you can find the
appropriate version information:
> Today my server was attacked. Attacker logged in as non privileged
> user "test".(password was brutforced). He used prctl local root exploit
> (code below).
> And it works! file "core" was dumped at folder /etc/cron.d/
> The only happiness is that cron did not run it.
You cannot be sure of this; with root privileges, an attacker could
modify your log to hide a successful attack. Unfortunately, the only
way you can be sure that this attacker no longer retains access is to
reinstall your system from scratch.
> Error in syslog:
> cron: Error: bad minute; while reading /etc/cron.d/core
> I tried to find out this exploit at google and find that it was affected to
> kernels 2.6.13-126.96.36.199. from kernel 188.8.131.52 it should be fixed. But looks
> like not....
You appear to be referring to CVE-2006-2451 which was fixed in
Debian's 2.6.18 before etch released. I tried the exploit you provided
just to be sure, and it does not succeed on the latest etch kernel
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact email@example.com