[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a394e3d90607131634x612f27adw3457d43e20b4aec2@mail.gmail.com>
Date: Fri Jul 14 00:34:12 2006
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Linux Kernel 2.6.x PRCTL Core Dump Handling -
simple workaround
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 7/13/06, lars brun nielsen <lbn@...bon14.dk> wrote:
> hi,
>
> setting 750 on /etc/cron.* would stop this exploit
Incorrect. Did you even try this on ONE vulnerable box? The
vulnerability exists BECAUSE the kernel doesn't enforce directory
permissions when writing a core dump.
Next time try testing your workarounds, or quoting workarounds from
vendors. This helps ensure that the advice you give people actually
works. What you should've suggested is:
a) modifying /proc/sys/kernel/core_pattern to cause coredumps to go to
an absolute location:
echo 0 >/proc/sys/kernel/core_uses_pid
echo /dev/null >/proc/sys/kernel/core_pattern
b) marking the directory used by the exploit immutable:
chattr +i /etc/cron.d
That prevents you from writing to that directory, but can be easily
undone if for some reason you need to:
chattr -i /etc/cron.d
If you actually bothered to read ANY of the vendor advisories on this
issue, you'd know why. The vulnerability exists because the kernel
DOES NOT VERIFY write permissions to core dump directories. If your
users actually have write permissions to /etc/cron.d, do the world a
favor and disconnect from the internet as soon as humanly possible.
Thank you.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: New (15 May '06) Key: Fetch from pgp.mit.edu; ID=0x2257C33F
iQIVAwUBRLbSa3XzqEAiV8M/AQq0CQ/+OB2FK0WjVPSbwk3NbnknxOvs0BXpvOc3
rbdtw5Rt+y9OkayPBZrC3h6X0hhGv3+mjWRUuw2fDEDXCb3Yw7fExCT9YfNEqvev
S9M91HYE6uoI1GH9BAYvXbwTncvPAVbTRpup/7tHV4AxNirky5HDv+AHmpM7ZZxo
F0y1UbtNdRT5qaLR8dx+0B09VeYOBK+6tvNUqTRCfQCYs5uJ5jm6Em40PR0CLv5P
Ysv3qOvUds4dbKDsc2x5DBgkLyDreokVv4fv1ri3/w8HAsWeD9rfrFj5I/E4Zmwq
ww5117TCMda5hYmT+RjmQHsl23QPlhEaePuTHLZKXZGW0hqysQd1q6qKy4h9Sc3t
88rY1y1CWST1PXDAXWhnoibuCDqzliKyD5nAF4s+k66sB0y95+O2wtfP8nT9fitp
3fSTNDLF8q9BBI/PILNj7s2cRaYYL//cOjmbsZDUfv72UoJu+/XIbuw6kTD19LPf
sHCqWobmjpPp4EhoDqoqL12AswwlrqZG9N2yqpB0lPDC46QxPKOwhnJnve90b8vp
6/VWfuuS25BYd2avn/9gI38gcZWgS3EYtm5OxFz2ZKuG21ZbhdngJZQ8ojpihe24
Cezeo5Go4tRzM+IWTEP2XG3Ro+X6/UIWCf2T/l6Bn+Befx7VdGv3ALB+q8SIPrTw
7jvIUxlhR2s=
=X3pz
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists