lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20030319084247.A27644@spisa.act.uji.es>
From: luna at aditel.org (Jose Carlos Luna Duran)
Subject: ptrace exploit workaround

En Tue Mar 18, 2003 at 11:57:25PM +0100, Juraj Bednar <juraj@...nar.sk> escribio:
> Hi,
> 
> 
>     while waiting for kernel compilations from Debian (and while waiting
>     for my kernel compilations to finish), I coded a single module,
>     which acts as a workaround for one particular exploit I found in one
>     user's homedirectory. 
> 
>     Disclaimer:
> 
>       1.) I don't guarantee, that it will protect you from other
>       exploits (it won't).
> 
>       2.) I guarantee, it won't break anything (actually it will break
>       some occassional ptrace situations, but for simple gdb and stuff,
>       this is ok).
> 
>       3.) I don't guarantee it will work. It may freeze your machine.
>       YMMV. 
> 
>       4.) I'm not a linux kernel module coder. If you'll come with
>       something better, drop me a note.
> 
>       5.) Against this exploit, simple chmod 700 /proc would suffice
>       (since it wants to open /proc/self/exe). This is somehow cleaner.

Hi Juraj, that exploit that you mention about is publicly available
on a very well known site (hack.co.za). So, full-disclosure readers
may want to take a look at it.
>From my point of view protecting the /proc will do nothing, you can 
rewrite that exploit without reading proc in a matter of seconds, it 
reads it only for the sake of obtaining the complete path of the exploit 
cause its shellcode payload will do a chown & chmod afterwards on it.
In the linux-kernel list there was a post on this subject on monday
it also displays an alternative patch for 2.4.20 / 21pre:

http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html


> 
>       6.) It should unload correctly, if it won't freeze your system
>       (see point 3:).
> 
>     Anyways, as a simple workaround, it works for me, so I thought I'll
>     post it, it may help you overcome this ugly time.
> 
>     Compilation instruction in source comment.
> 
> 
>      J.
> 
> 
> 
> -- 
> Juraj Bednar
> http://www.jurajbednar.com/
> http://juraj.bednar.sk/

Best regards, 

-- 
Jose Carlos Luna Duran  @ UJI
luna@...tel.org / Jose.Carlos.Luna@...n.ch
Office Tel. +41 22 76 71880

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ