CRC Tux's lil' helper
Joined: 30 Mar 2003 Posts: 90 Location: Dallas, TX, USA
|
Posted: Sun Mar 30, 2003 2:54 am Post subject: Linux Ptrace Exploit |
|
|
The recent gentoo security alert about this exploit says that it is not remotely accessible. This is not entirely true. Many systems allow FTP access to update a website. If that website has CGI access, you effectively have a remote user. Its very easy to compile an exploit to take advantage of this security hole, and upload it to a web site via ftp with a little perl wrapper that gives you a web based shell. It only took me about 15 minutes to do it.
Also, the version of this exploit that I have makes itself SUID ROOT as soon as it runs. This means that even after you patch your kernel, you better make sure this thing isn't on your system already, because it will continue to run. I'd suggest you use find or something to make a list of all your SUID ROOT files.
That said, the grsecurity option in the gentoo kernels WILL prevent you from being exploited. However, it also leaves the attacking application spinning in a dead lock eating up CPU, but you already have "ulimit" set on your users to stop this from being an issue, and nagios or something set to notify you when an application is eating up all your idle time, right?
-- Evan _________________ Unix/Linux Consulting & Hosting
We Support Gentoo!
http://CoolRunningConcepts.com
Freenode: Taro! |
|