[security] Local Root Explot for Kernel 2.6.21! - Slackware

This is a discussion on [security] Local Root Explot for Kernel 2.6.21! - Slackware ; Hello, there is a local root exploit available, which allowes to get root access on any Slackware multiuser system! To fix this hole, you have to compile kernel 2.6.24.2 on your own. You may use "make oldconfig" to copy the ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 33

Thread: [security] Local Root Explot for Kernel 2.6.21!

  1. [security] Local Root Explot for Kernel 2.6.21!

    Hello,

    there is a local root exploit available, which allowes to get root
    access on any Slackware multiuser system!

    To fix this hole, you have to compile kernel 2.6.24.2 on your own. You
    may use "make oldconfig" to copy the kernel configuration of the
    official Slackware kernel.

    Exploits:
    http://www.milw0rm.com/exploits/5092
    http://www.milw0rm.com/exploits/5093

    CU

    Manuel


  2. Re: [security] Local Root Explot for Kernel 2.6.21!

    Why the hell do you post the exploits?


    Manuel Reimer wrote:
    > Hello,
    >
    > there is a local root exploit available, which allowes to get root
    > access on any Slackware multiuser system!
    >
    > To fix this hole, you have to compile kernel 2.6.24.2 on your own. You
    > may use "make oldconfig" to copy the kernel configuration of the
    > official Slackware kernel.
    >
    > Exploits:
    > http://www.milw0rm.com/exploits/5092
    > http://www.milw0rm.com/exploits/5093
    >
    > CU
    >
    > Manuel
    >



    --
    On dira ce qu'on voudra, j'étais pas un petit loubard comme les autres.
    (Rocky)

  3. Re: [security] Local Root Explot for Kernel 2.6.21!

    On Mon, 11 Feb 2008 12:56:30 +0100, Manuel Reimer wrote:

    >Hello,
    >
    >there is a local root exploit available, which allowes to get root
    >access on any Slackware multiuser system!
    >
    >To fix this hole, you have to compile kernel 2.6.24.2 on your own. You
    >may use "make oldconfig" to copy the kernel configuration of the
    >official Slackware kernel.


    Linux kernels 2.6.23.16 and 2.6.22.18 also have the fix.

    See: http://www.kernel.org/pub/linux/kernel/v2.6/?C=M&O=D for the latest
    kernel patches.

    Grant.
    --
    http://bugsplatter.mine.nu/

  4. Re: [security] Local Root Explot for Kernel 2.6.21!

    Grant wrote:
    > Linux kernels 2.6.23.16 and 2.6.22.18 also have the fix.


    > See: http://www.kernel.org/pub/linux/kernel/v2.6/?C=M&O=D for the latest
    > kernel patches.


    Interesting. Thanks for this info.

    Unfortunately it's not easy to find out, which kernels are still
    supported. In this case, it would be a possible solution to update
    Slackware 12.0 to kernel 2.6.22.18.

    CU

    Manuel


  5. Re: [security] Local Root Explot for Kernel 2.6.21!

    ciol wrote:
    > Why the hell do you post the exploits?


    Why not? A big german publisher (heise.de) had those links on their
    ticker. At least most of the german IT people should know those
    exploits, now.

    Goal of this posting is to show, that the kernel, which is the current
    stable kernel of Slackware 12.0 is insecure.

    Maybe it would be a good idea to restart something like "slacksec.info",
    to publish "inofficial" security patches...

    CU

    Manuel


  6. Re: [security] Local Root Explot for Kernel 2.6.21!

    On Mon, 11 Feb 2008 23:11:17 +1100, Grant wrote:

    >On Mon, 11 Feb 2008 12:56:30 +0100, Manuel Reimer wrote:
    >
    >>Hello,
    >>
    >>there is a local root exploit available, which allowes to get root
    >>access on any Slackware multiuser system!
    >>

    ....
    >Linux kernels 2.6.23.16 and 2.6.22.18 also have the fix.


    Hmm, it appears the 2.6.22.18 patch may be borked (it doesn't remove the
    problem code as in the other kernel version patches), I'm running 2.6.23.16
    here, as 2.5.24.2 is a bit too new for my liking...

    Grant.
    --
    http://bugsplatter.mine.nu/

  7. Re: [security] Local Root Explot for Kernel 2.6.21!

    ciol wrote:
    > Why the hell do you post the exploits?
    >
    >
    >



    well, I got the exploits from a link on /. yesterday, so this isn't
    exactly an unknown thing anymore.

    Ray

  8. Re: [security] Local Root Explot for Kernel 2.6.21!

    mreimer@expires-29-02-2008.news-group.org wrote:
    > Grant wrote:
    >> Linux kernels 2.6.23.16 and 2.6.22.18 also have the fix.

    >
    >> See: http://www.kernel.org/pub/linux/kernel/v2.6/?C=M&O=D for the latest
    >> kernel patches.

    >
    > Interesting. Thanks for this info.
    >
    > Unfortunately it's not easy to find out, which kernels are still
    > supported. In this case, it would be a possible solution to update
    > Slackware 12.0 to kernel 2.6.22.18.


    I applied the patch to my 2.6.21.5-smp kernel from Slackware 12.0 today
    and it does apply and 'fixes' the problem. (That is, the exploit works
    before, and does not work after.)

    The patch I used is from the Linux Kernel mailing list, here:
    http://marc.info/?l=linux-kernel&m=120271504513333&w=2

    So no, you do not have to move to a newer kernel version if you don't want
    to.

  9. Re: [security] Local Root Explot for Kernel 2.6.21!


    ljb wrote :

    > So no, you do not have to move to a newer kernel version if you don't want
    > to.


    There's patched kernels out for Slackware 12, see the ChangeLog.
    --
    Thomas O.

    This area is designed to become quite warm during normal operation.

  10. Re: [security] Local Root Explot for Kernel 2.6.21!

    On Tue, 12 Feb 2008, Thomas Overgaard wrote:

    > There's patched kernels out for Slackware 12, see the ChangeLog.


    Since its a 'local' exploit only, it's no so critical, unless you run
    a shell server or net cafe/kiosk style setup where you dont know the
    people accessing your boxes.

    Real servers do not allow telnet, do not allow anyone but sys admins
    access to ssh, and properly ACL'd on border routers and so on, real
    servers are locked down so things like scripts on webserves etc cant do
    any harm to the system, and if its your personal desktop, what are you
    going to do, r00t it yourself through shear boredom?

    I agree they need addressing, but its not incident critical if you take
    normal precautions.

    local exploits = minimal risk
    remote = high risk


    --
    Cheers
    Res

    mysql> update auth set Framed-IP-Address='127.0.0.127' where user= 'troll';

  11. Re: [security] Local Root Explot for Kernel 2.6.21!

    On 2008-02-12, Res wrote:
    > Since its a 'local' exploit only, it's no so critical, unless you run
    > a shell server or net cafe/kiosk style setup where you dont know the
    > people accessing your boxes.


    If you run any kind of sshd you are certainly vulnerable, even if you're
    the only user. Of course, the more users you have, the more you are at
    risk for having one of your accounts cracked.

    > Real servers do not allow telnet, do not allow anyone but sys admins
    > access to ssh,


    This is of course completely untrue. How would one work remotely
    otherwise? IPSec is one option, but how many of your users are going to
    go through that much trouble?

    > local exploits = minimal risk


    It's not minimal, it's probably medium. Minimal risk is something like
    "can degrade performance slightly". (Yes, it is minimal risk if you
    have no local users.)

    --keith


    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  12. Re: [security] Local Root Explot for Kernel 2.6.21!

    Res wrote:
    > Since its a 'local' exploit only, it's no so critical, unless you run
    > a shell server or net cafe/kiosk style setup where you dont know the
    > people accessing your boxes.


    Any hole is critical. That's also the problem, I see with the "only
    patch a minimum" philosophy behind Slackware.

    Anything in Slackware is absolutely great, but I don't like the patch
    management.

    For example, I still wait for an update for xine-lib and I *don't*
    understand, why there is no update for SeaMonkey, so far. In the past,
    they updated web applications pretty fast...

    I still think, it would be great to restart something like
    "slacksec.info" as an alternative source for security patches.

    > Real servers do not allow telnet, do not allow anyone but sys admins
    > access to ssh, and properly ACL'd on border routers and so on, real
    > servers are locked down so things like scripts on webserves etc cant do
    > any harm to the system, and if its your personal desktop, what are you
    > going to do, r00t it yourself through shear boredom?


    What about a small mistake while programming an CGI script? What if this
    script allowes a remote attacker to run shell commands? Wouldn't it be
    nice, if the attacker only is able to run his commands with the rights
    of the "apache" user, which usually is able to do nearly nothing on the
    system?

    Another example for an unpatched hole in Slackware: The holes, which
    have been fixed in SeaMonkey 1.1.8, also contain some holes, which allow
    to run Javascript code in the "chrome" context. So it should be easy to
    run nearly any command with the rights of the user, currently logged in.
    With the exploit, which exists for this kernel hole, it would be even
    possible to get root privileges.

    CU

    Manuel


  13. Re: [security] Local Root Explot for Kernel 2.6.21!

    On Tue, 12 Feb 2008, Keith Keller wrote:

    >> Real servers do not allow telnet, do not allow anyone but sys admins
    >> access to ssh,

    >
    > This is of course completely untrue. How would one work remotely
    > otherwise? IPSec is one option, but how many of your users are going to
    > go through that much trouble?



    Bull****, if you dont restrict access to it, you deserve everything you
    get.

    and its simple, if one works remotely one has their IP in an ACL, and only
    those in postion of trust will ever get that privilidge.

    >>> local exploits = minimal risk


    --
    Cheers
    Res

    mysql> update auth set Framed-IP-Address='127.0.0.127' where user= 'troll';

  14. Re: [security] Local Root Explot for Kernel 2.6.21!

    On Wed, 13 Feb 2008, Manuel Reimer wrote:

    > Any hole is critical. That's also the problem, I see with the "only patch a
    > minimum" philosophy behind Slackware.


    not really, a machine that has no public access and is completely
    protected can run a 1.0.1 kernel and be completely safe from these
    lifeless turdfaced script kiddies, its not just a case of server
    management, its also network managment, its trivial on a Juniper or even a
    Cisco to create an ACL for your main servers that protect them from
    lowlifes


    > understand, why there is no update for SeaMonkey, so far. In the past, they


    Let me see...

    ~$ cd /var/ftp/pub/MIRRORS/slackware/slackware-12.0/patches/packages
    ~$ ls |grep seamonkey | grep 1.1.8

    seamonkey-1.1.8-i486-1_slack12.0.tgz
    seamonkey-1.1.8-i486-1_slack12.0.tgz.asc
    seamonkey-1.1.8-i486-1_slack12.0.txt

    .......now broswing mozilla.org, that claim 1.1.8 is current...


    > I still think, it would be great to restart something like "slacksec.info" as
    > an alternative source for security patches.


    No, I disagree, Slackware has very little problems *because* only a select
    few people have the right to issue packages, that includes security
    updates, I would have less faith in Slackware if 'any ol clown' could
    contribute to this, FFS look at the mess they call fedora, that is reason
    enough NOT to let unknown and untrusted people mess with the distro.


    > What about a small mistake while programming an CGI script? What if this
    > script allowes a remote attacker to run shell commands? Wouldn't it be nice,
    > if the attacker only is able to run his commands with the rights of the
    > "apache" user, which usually is able to do nearly nothing on the system?


    Users get their own system UID, 710 perms (group apache needs to acces
    sit afterall lol), only ftp access via database no /etc/passwd shell access,
    suexec and tightened php, of course I know its not foolproof, but its stopped
    the lame little turds for many years so far, any damage that might occur
    is only going to be to a single host that runs crap that allows
    people to take control of their site, like phpnuke, if they run it they
    deserve what they get


    --
    Cheers
    Res

    mysql> update auth set Framed-IP-Address='127.0.0.127' where user= 'troll';

  15. Re: [security] Local Root Explot for Kernel 2.6.21!

    Res wrote:
    > not really, a machine that has no public access and is completely
    > protected can run a 1.0.1 kernel and be completely safe from these
    > lifeless turdfaced script kiddies, its not just a case of server
    > management, its also network managment, its trivial on a Juniper or
    > even a Cisco to create an ACL for your main servers that protect them
    > from lowlifes


    Any machine, connected in any way to the internet, may be attacked.

    If you run a web server, then you have to open port 80 to the outside
    and anyone may attack you by holes in the apache server or in your CGI
    scripts.

    If you just surf the web, then bad sites may exploit holes in your
    browser.

    > Let me see...


    > ~$ cd /var/ftp/pub/MIRRORS/slackware/slackware-12.0/patches/packages
    > ~$ ls |grep seamonkey | grep 1.1.8


    > seamonkey-1.1.8-i486-1_slack12.0.tgz
    > seamonkey-1.1.8-i486-1_slack12.0.tgz.asc
    > seamonkey-1.1.8-i486-1_slack12.0.txt


    > .......now broswing mozilla.org, that claim 1.1.8 is current...


    The update came this morning, but SeaMonkey 1.1.8 is available since
    08.02.2008.

    > No, I disagree, Slackware has very little problems *because* only a
    > select few people have the right to issue packages, that includes
    > security updates, I would have less faith in Slackware if
    > 'any ol clown' could contribute to this, FFS look at the mess they call
    > fedora, that is reason enough NOT to let unknown and untrusted people
    > mess with the distro.


    I don't talk about contributions to Slackware itself. The "alternative
    source" of security packages would have to be located as separate
    project. Not anyone would need those updates. For many people the
    official updates will do just right. The "alternative updates project"
    would be for those who want a bit more security by patching *any* hole
    that gets published. Maybe with an small auto updater anyone may use to
    auto-fetch the updates.

    CU

    Manuel

    --
    Überwachungsstaat bald Realität? Jetzt handeln! www.stasizwopunktnull.de
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
    Die letzte Stimme, die man hört, bevor die Welt untergeht, wird die
    eines Experten sein, der versichert, das sei gar nicht möglich.

  16. Re: [security] Local Root Explot for Kernel 2.6.21!

    On Wed, 13 Feb 2008, Manuel Reimer wrote:

    > Any machine, connected in any way to the internet, may be attacked.


    it may be attacked, but a well protected server will fend it off
    >
    > If you run a web server, then you have to open port 80 to the outside and
    > anyone may attack you by holes in the apache server or in your CGI scripts.


    the same goes for any daemon, though hte risks of apache being the problem
    will be low, and CGI scripts? please read what I said, a well set up
    apache server may have a cluless idiot host run a braindead cgi, however
    they wont get any further then that hosts directory, therefore the server
    is not r00ted, only that idiotic host has the capability to have its files
    defaced or replaced or just deleted, any sys admin knows how to do this
    correctly, there are also other protection factors that come into it and
    as i said at worse any runnig programs will only run as that user so can
    not do any damage to the server, have you any idea on how to run a hosting
    network? I doubt it from your comments thus far.

    > If you just surf the web, then bad sites may exploit holes in your browser.


    so, u surf the web as root eh? You dont take other precautions either eh?

    >
    >> Let me see...

    >
    >> ~$ cd /var/ftp/pub/MIRRORS/slackware/slackware-12.0/patches/packages
    >> ~$ ls |grep seamonkey | grep 1.1.8

    >
    >> seamonkey-1.1.8-i486-1_slack12.0.tgz
    >> seamonkey-1.1.8-i486-1_slack12.0.tgz.asc
    >> seamonkey-1.1.8-i486-1_slack12.0.txt

    >
    >> .......now broswing mozilla.org, that claim 1.1.8 is current...

    >
    > The update came this morning, but SeaMonkey 1.1.8 is available since
    > 08.02.2008.


    4 days, which includes a weekend? oh how bad, so sorry, Slackware are very
    very bad, tehy should have released it 15 seconds after mozilla released
    it *siiiiiiiiiiiiiiiiiggggggghhhhhh*


    ah well, its time for bed....

    --
    Cheers
    Res

    mysql> update auth set Framed-IP-Address='127.0.0.127' where user= 'troll';

  17. Re: [security] Local Root Explot for Kernel 2.6.21!

    On 2008-02-13, Manuel Reimer wrote:
    >
    > I don't talk about contributions to Slackware itself. The "alternative
    > source" of security packages would have to be located as separate
    > project. Not anyone would need those updates. For many people the
    > official updates will do just right. The "alternative updates project"
    > would be for those who want a bit more security by patching *any* hole
    > that gets published. Maybe with an small auto updater anyone may use to
    > auto-fetch the updates.



    IOW, instead of an occasional *known* hole (usually of minimal impact or
    something that is easily worked around or mitigated) that takes a week or
    so for official updates to post (along with the assurance that the update
    has actually been tested), you seem to be proposing a third party package
    made by someone with no affiliation with Slackware at all. For those who
    haven't made the connection, that's a transition from *known* issues to
    *unknown* issues.

    So many of the "security" bugs that arise are of questionable impact.
    That's not to say that they're not issues - they clearly are - but when
    a potential vulnerability does not published exploit code, and/or the
    maintainers of the software say that the potential exploit condition is
    controlled in other parts of the code (before the input/whatever even
    reaches the "vulnerable" part), and/or the "fix" breaks everything that
    links against the "vulnerable" library (which means that you have to
    choose from "security" or "usability," then hard decisions have to be
    made. It's easy for you and various others to whine on public forums
    about security issues not being addressed in a timely manner, but until
    you've had to make some of those "hard decisions" and then live with the
    consequences they cause on your entire user community, then I dare say
    you shouldn't be quite so vocal.

    -RW

    ** This post is just *my* opinion - nothing should be construed as
    an official statement. **


  18. Re: [security] Local Root Explot for Kernel 2.6.21!

    On 2008-02-13, Res wrote:
    > On Tue, 12 Feb 2008, Keith Keller wrote:
    >
    >>> Real servers do not allow telnet, do not allow anyone but sys admins
    >>> access to ssh,

    >>
    >> This is of course completely untrue. How would one work remotely
    >> otherwise? IPSec is one option, but how many of your users are going to
    >> go through that much trouble?

    >
    >
    > Bull****, if you dont restrict access to it, you deserve everything you
    > get.
    >
    > and its simple, if one works remotely one has their IP in an ACL, and only
    > those in postion of trust will ever get that privilidge.
    >
    >>>> local exploits = minimal risk



    While I understand what Keith is saying, I'm largely in agreement with Res
    on this. For home users, this local kernel exploit is simply a non-issue,
    and anyone saying otherwise should probably be referred to as Chicken Little.
    ** okay, maybe a *few* home users, but you get the point ** :-)

    For mission-critical servers and such, only admins will generally have ssh
    or console access anyway, so again, it's a non-issue.

    For ISP's, universities, and other such entities that have untrusted users
    with accounts on a box, this is very much an issue. Those people, however,
    were not here fussing - they were busy fixing their boxes to prevent the
    exploit from affecting them (more).

    -RW

  19. Re: [security] Local Root Explot for Kernel 2.6.21!

    On Wed, 13 Feb 2008 14:47:10 +0100, Manuel Reimer wrote:

    >> seamonkey-1.1.8-i486-1_slack12.0.tgz
    >> seamonkey-1.1.8-i486-1_slack12.0.tgz.asc
    >> seamonkey-1.1.8-i486-1_slack12.0.txt


    > The update came this morning, but SeaMonkey 1.1.8 is available since
    > 08.02.2008.


    Ooooooh, a whole 5 days! Or was it 4?

    Wow, the sky could have fallen in that much time, right?

    If you're that worried about it, why didn't you download the source and
    compile it yourself, the moment it was released?


    --
    "Ubuntu" -- an African word, meaning "Slackware is too hard for me".


  20. Re: [security] Local Root Explot for Kernel 2.6.21!

    In
    Robby Workman writes:

    >For ISP's, universities, and other such entities that have untrusted users
    >with accounts on a box, this is very much an issue. Those people, however,
    >were not here fussing - they were busy fixing their boxes to prevent the
    >exploit from affecting them (more).


    As one such person, I can attest that that's exactly what I was doing on
    Monday night. :-/

    In my case I used 2.6.24.2 direct from kernel.org, but the Slackware
    patch had already been released by then.

    - Steven
    __________________________________________________ ______________________
    Steven Winikoff |
    Concordia University | "If at first you don't succeed,
    Montreal, QC, Canada | transform your data set."
    smw@alcor.concordia.ca |
    http://alcor.concordia.ca/~smw | - fortune(6)

+ Reply to Thread
Page 1 of 2 1 2 LastLast