root shell exploit still working in kernel 2.4.21

root shell exploit still working in kernel 2.4.21

[Thomas Frase]

hello!

the problem:
i tried an exploit (url given below) with debian woody kernel 2.4.18
and self compiled kernel 2.4.21 resulting in a root shell.

exploit code url: (found via google)
http://isec.pl/cliph/isec-ptrace-kmod-exploit.c

as described in the source the exploit uses the well known ptrace bug
which i thought was fixed in kernel 2.4.21.

i don't know why it still works or how to fix it. i told someone people
in #debian.de (quakenet) about the results of the exploit and they
asked me to post a bug report here.

greetings
    thomas f.
    (germany)

Kernel 2.4.21 infos:

Output from ver_linux:
-------------------------------------------------
Linux xXxXx 2.4.21 #1 SMP Fri Jun 20 14:25:09 CEST 2003 i686 unknown

Gnu C                  2.95.4
Gnu make               3.80
util-linux             2.11z
mount                  2.11z
modutils               2.4.21
e2fsprogs              1.27
PPP                    2.4.1
Linux C Library        2.3.1
Dynamic linker (ldd)   2.3.1
Procps                 3.1.9
Net-tools              1.60
Console-tools          0.2.3
Sh-utils               2.0.11
Modules Loaded
-------------------------------------------------

Output from /proc/version:
-------------------------------------------------
Linux version 2.4.21 (root@xXxXx) (gcc version 2.95.4 20011002 (Debian
prerelease)) #1 SMP Fri Jun 20 14:25:09 CEST 2003
-------------------------------------------------

Re: root shell exploit still working in kernel 2.4.21

[Rus Foster]

On Fri, 20 Jun 2003, Thomas Frase wrote:

> hello!
>
> the problem:
> i tried an exploit (url given below) with debian woody kernel 2.4.18
> and self compiled kernel 2.4.21 resulting in a root shell.
>

Under 2.4.21 delete the binary, recompile it and see if it still happens.
The binary sets itself SUID IIRC

Rgds

Rus

--
www: http://www.65535.net       | Hosting - Shell Accounts
MSNM: support@65535.net		| Virtual Servers from just $15/mo
e: rghf@65535.net               | Community: http://www.65535.org
t: +44 (0) 7092016595           | 10% Donation on every FreeBSD product

Re: root shell exploit still working in kernel 2.4.21

[Thomas Frase]

> Under 2.4.21 delete the binary, recompile it and see if it still
happens.
> The binary sets itself SUID IIRC
>
> Rgds
>
> Rus

that was it. sorry i didn't check that first.

Re: root shell exploit still working in kernel 2.4.21

[Richard B. Johnson]

On Fri, 20 Jun 2003, Thomas Frase wrote:

> hello!
>
> the problem:
> i tried an exploit (url given below) with debian woody kernel 2.4.18
> and self compiled kernel 2.4.21 resulting in a root shell.
>
> exploit code url: (found via google)
> http://isec.pl/cliph/isec-ptrace-kmod-exploit.c
>
> as described in the source the exploit uses the well known ptrace bug
> which i thought was fixed in kernel 2.4.21.
>
> i don't know why it still works or how to fix it. i told someone people
> in #debian.de (quakenet) about the results of the exploit and they
> asked me to post a bug report here.

The binary is 4755 (SUID!) What do you expect. Delete it and
recompile from a non-root account.


Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.