No subject


Fri Jan 31 06:23:24 EST 2014 

>From suter  Tue Oct 23 20:34:28 2001
Return-Path: <owner-general at lists.humbug.org.au>
Received: from diadora.client.uq.net.au (IDENT:root at diadora-2 [10.0.1.2])
	by zwitterion.humbug.org.au (8.12.1/8.12.1/Debian -2) with ESMTP id f9NAYSpU024246
	for <suter at zwitterion.humbug.org.au>; Tue, 23 Oct 2001 20:34:28 +1000
Received: from caliburn.humbug.org.au (caliburn.humbug.org.au [203.15.51.6])
	by diadora.client.uq.net.au (8.12.1/8.12.1/Debian -2) with ESMTP id f9NAYRXq022277
	for <suter at zwitterion.humbug.org.au>; Tue, 23 Oct 2001 20:34:27 +1000
Received: from mdlishum by caliburn.humbug.org.au with local (Exim 3.03 #1)
	id 15uNNL-000IvF-00
	for general-outgoing at lists.humbug.org.au; Fri, 19 Oct 2001 10:18:59 +1000
Received: from [139.130.74.232] (helo=blake.timetraveller.org)
	by caliburn.humbug.org.au with esmtp (Exim 3.03 #1)
	id 15uNNF-000Iuw-00
	for general at humbug.org.au; Fri, 19 Oct 2001 10:18:53 +1000
Received: from avon.timetraveller.org (robert at avon.timetraveller.org [203.46.133.200])
	by blake.timetraveller.org (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id KAA12612
	for <general at humbug.org.au>; Fri, 19 Oct 2001 10:12:31 +1000
Date: Fri, 19 Oct 2001 10:11:26 +1000 (EST)
From: Robert Brockway <robert at timetraveller.org>
To: HUMBUG General List <general at humbug.org.au>
Subject: [H-GEN] RE: Flaws in recent Linux kernels (fwd)
Message-ID: <Pine.LNX.3.96.1011019101116.4403U-100000 at avon.timetraveller.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-general at lists.humbug.org.au
Precedence: bulk
Reply-To: general at lists.humbug.org.au
X-Loop: general at lists.humbug.org.au
List-Help: <mailto:majordomo at lists.humbug.org.au?subject=help>
List-Post: <mailto:general at lists.humbug.org.au>
List-Subscribe: <mailto: general-request at lists.humbug.org.au?subject=subscribe>
List-Id: semi-serious discussions about Humbug and Unix-related topics <general at lists.humbug.org.au>
List-Unsubscribe: <mailto: general-request at lists.humbug.org.au?subject=unsubscribe>
List-Archive: <http://archive.humbug.org.au/humbug-general/>
Status: RO
Content-Length: 3315
Lines: 83

[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

More info
Rob

-- Robert Brockway B.Sc. email: robert at timetraveller.org  ICQ: 104781119
   Linux counter project ID #16440 (http://www.li.org)
   blake: up 4 days, 17:01,  3 users,  load average: 0.00, 0.00, 0.00
   "The earth is but one country and mankind its citizens" -Baha'u'llah

---------- Forwarded message ----------
Date: Thu, 18 Oct 2001 12:51:24 -0700
From: Demitrious Kelly <apokalyptik at apokalyptik.com>
To: bugtraq at securityfocus.com
Subject: RE: Flaws in recent Linux kernels

The description of the second problem is accurate, but I don't think the
assessment of the kernels which can or cannot be affected by this exploit
is... I'm using a newly compiled kernel Linux 2.4.12-grsec-1.8.3.

( Linux 2.4.12 with the Grsecurity Patch
http://www.grsecurity.net/features.htm )

# /* begin shell session */
[12:52:11][apokalyptik at home:~]: ./epcs_ptrace_attach_exploit
bug exploited successfully.
enjoy!
sh-2.05$
# /* end shell session */

 -- Demitrious S. Kelly

-----Original Message-----
From: Rafal Wojtczuk [mailto:nergal at 7bulls.com]
Sent: Thursday, October 18, 2001 10:36 AM
To: bugtraq at securityfocus.com
Subject: Flaws in recent Linux kernels

II. Root compromise by ptrace(3)
        In order for this flaw to be exploitable, /usr/bin/newgrp must be
setuid root and world-executable. Additionally, newgrp, when run with no
arguments, should not prompt for password. This
conditions are satisfied in case of most popular Linux distributions (but
not Openwall GNU/*/Linux).
        Suppose the following flow of execution (initially, Process 1 and
Process 2 are unprivileged):
Time    Process 1                                       Process 2
0       ptrace(PTRACE_ATTACH, pid of Process 2,...)
1       execve /usr/bin/newgrp
2                                               execve /any/thing/suid
3       execve default user shell
4       execve ./insert_shellcode

        The unexpected happens at moment 2. Process 2 is still traced,
execve
/any/thing/suid succeeds, and the setuid bit is honored ! This is so
because
1) the property of "having an ptrace-attached child" survives the execve
2) at moment 2, the tracer (process 1) has CAP_SYS_PTRACE set (well, has all
root privs), therefore it is allowed to trace even execve of setuid binary.
        In moment 3, newgrp executes a shell, which is an usual behavior.
This shell is still able to control the process 2 with ptrace. Therefore,
the
"./insert_shellcode" binary is able to insert arbitrary code into the
address
space of Process 2. Game over.

        2.4.12 kernel fixes both presented problems. The attached patches,
2.2.19-deep-symlink.patch and 2.2.19-ptrace.patch, both blessed by Linus,
can be used to close the vulnerability in 2.2.19. The (updated)
Openwall GNU/*/Linux kernel patches can be retrieved from
http://www.openwall.com/linux/
Note that the default Owl installation is not vulnerable to the ptrace bug
described.



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list