Vulnerability in 2.6.17 kernel

leif_thande · 2006-07-18 23:22:12

Hi there,

A new kernel vulnerability is affecting all 2.6 versions up to 2.6.17-4. Since it's locally exploitable it isn't a real problem for personnal computers but more alarming for servers.

The current Arch kernel is not vulnerable, so like always I encourage you to keep your systems up to date.

user · 2006-07-18 23:39:19

link please

I am using

 > uname -a
Linux arch 2.6.18-rc2 #1 PREEMPT Tue Jul 18 20:11:34 KST 2006 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz GenuineIntel GNU/Linux
 >

soloport · 2006-07-19 00:02:06

user wrote:

I am using:
Linux arch 2.6.18-rc2 #1 PREEMPT Tue Jul 18 20:11:34 KST 2006 i686

Yeah. His post is so 2.6.17...

leif_thande · 2006-07-19 16:31:57

yeah, just figured out I forgot to give the urls. Here they come :

Linux Kernel PROC Filesystem Local Privilege Escalation on SecurityFocus

the exploit

Original message on Full-Disclosure

Have fun !

eWoud · 2006-07-19 18:52:51

[ewoud@aenea:~]$ gcc -o h00lyshit h00lyshit.c
[ewoud@aenea:~]$ ./h00lyshit h00lyshit.c

preparing
trying to exploit h00lyshit.c

sh-3.1$ whoami
ewoud

edit: duh! guess I missed the final sentence of his post

kth5 · 2006-07-19 19:05:17

the vulnerability has long been fixed, ever since .5

leif_thande · 2006-07-20 02:42:31

I guess you refer to 2.6.17.5 , not 2.6.5 . To me 5 days ago is not such a long time ( 2.6.17.5 was released July 14).

JGC · 2006-07-20 06:57:24

To "fix" these bugs with workarounds:

mount -o remount,nosuid /proc
echo /root/core > /proc/sys/kernel/core_pattern

The first one makes sure the coredumps to files with root ownership bug is no longer possible: all files will get dropped in /root/core, not in other locations on the filesystem (assuming /root/core is innocent as cron doesn't scan it).

The 2nd one makes sure you can't make things setuid in /proc, which disables the common exploits that try to make use of it.

These are just workarounds, but if you aren't able to update to the latest kernel, these workarounds should keep scriptkiddies out.

BTW: one of my webservers was hacked back on 14th of july with this one, the same day the kernelpatch for the proc exploit thingy was released.

user · 2006-07-20 07:32:12

That's why plan9 is so gr8.

Gullible Jones · 2006-07-20 18:20:01

Which has what to do with this discussion?

codemac · 2006-07-20 18:33:06

Gullible Jones wrote:

Which has what to do with this discussion?

http://en.wikipedia.org/wiki/Plan_9_fro … bs#.2Fproc

/proc came from Plan9, and user was just reiterating how gr8 that was.

Arch Linux

#1 2006-07-18 23:22:12

Vulnerability in 2.6.17 kernel

#2 2006-07-18 23:39:19

Re: Vulnerability in 2.6.17 kernel

#3 2006-07-19 00:02:06

Re: Vulnerability in 2.6.17 kernel

#4 2006-07-19 16:31:57

Re: Vulnerability in 2.6.17 kernel

#5 2006-07-19 18:52:51

Re: Vulnerability in 2.6.17 kernel

#6 2006-07-19 19:05:17

Re: Vulnerability in 2.6.17 kernel

#7 2006-07-20 02:42:31

Re: Vulnerability in 2.6.17 kernel

#8 2006-07-20 06:57:24

Re: Vulnerability in 2.6.17 kernel

#9 2006-07-20 07:32:12

Re: Vulnerability in 2.6.17 kernel

#10 2006-07-20 18:20:01

Re: Vulnerability in 2.6.17 kernel

#11 2006-07-20 18:33:06

Re: Vulnerability in 2.6.17 kernel

Board footer