Date: Mon, 29 Mar 2004 20:10:29 +0000
From: stealth <stealth@...fault.net>
To: spender@...ecurity.net
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: systrace silently patches full local bypass vulnerability on Linux


On Sat, Mar 27, 2004 at 04:01:03PM -0500, spender@...ecurity.net wrote:

Hi,

I am not aware of the things happening beforehand (e.g. the flamewar)
i think I have to comment some parts in this mail.

I wont take part of the flamewar systrace vs. gr or alike,
both parties have excellent programming skills and its sad enough
it always goes this way.

I have been IRCing and mailing with spender regarding
grsecurity and hardening patches for the Linux kernel for quite
a while (> 1 year) now, and we discussed a lot of possible
vulnerabilities in chroot implementations, systrace, LIDS and,
ofcorse, some older versions of grsecurity. I have been writing
a paper regarding such topics for the DIMVA conference.
So far for the background...

[...]
> 	attempt to hide an exploitable vulnerability that has been 
> 	known in the blackhat community ever since systrace was 
> 	released for Linux (almost two years now), Marius and Niels will 
> 	instead try to attack my character, misspell my name, claim 
> 	that I found the bug by diffing, or anything else that will 
> 	take the attention off of this bug.  In fact, I know of several
> 	others that have discovered this bug independently, who I hope 
> 	will respond to this advisory and give weight to my claim if 
Yes, this bug (ptrace-bypass) is known for quite a while, we have discussed
this since ages, and a proof of concept exploit exists.
At least I have written my
own one which reads out /etc/passwd even if it is forbidden. It has
no meaning other than proving that the entry.S code is wrong.
I found the entry.S bug rather trivial and since nobody seemed
to use the Linux port of systrace anyway (and only this has been
tested by me) I put this "exploit" into my dusty box.

[...]
> 	There are protection bypass vulnerabilities in:
> 	LIDS
Indeed. With some minor modifications of the lids-hack.tgz
published years ago its still possible to exploit LIDS, but
I didnt got newer versions of LIDS working (crashes here and there,
and the admin tool produces wrong configs) so I was just pissed
about it and did no further research. I included a short example of
How to bypass LIDS in my DIMVA submission.

> 	There were also recently several scathing comments made by 
> 	Russell Coker, an employee of RedHat.  Some background info on 
> 	Russell: he's from Australia, he's not used to IRC, he can't 
> 	name any blackhats off-hand, and somehow he's a (self-titled?) 
> 	security expert and wants everyone to use SELinux.  I had made 
> 	the claim in a channel that the Debian SELinux test box was 
> 	owned by stealth due to a configuration error.  It turned out 
> 	that stealth had not owned the Debian SELinux test box, and 
> 	Russell Coker certainly made everyone aware of this.  What he 
> 	of course failed to mention (and that he was knowledgeable 
> 	of, as I was CC'd on the mails) was that stealth did own an 
> 	SELinux test machine some time back in Australia due to a 
> 	configuration error.  My mistake was believing that there was 
I was proving a SELinux box to have a wrong configuration
on the ph-neutral conference last year in Berlin. The machine
was a "hackme" box from Tom and everyone could give it a try at that time.
Since the config was broken it was not very difficult to install
trojans etc. I have discussed this with Tom, and there was no problem at all.
It was not in Australia though, but in Berlin, but thats rather unimportant
and I can understand spender if he confuses this a bit after all the
strange stuff going on. The SE box from Russel has pretty good
config and it looks like he knows what he's doing with SE. However,
if a hackme box doesnt get owned, it means nothing of corse.

I hope you will continue your great work on Grsecurity, Brad. Who
cares which hat you wear while doing so?

Stealth

Powered by blists - more mailing lists