Re: Is there something that can be done against this ???

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Jakob Østergaard" <jakob@unthought.net>
To: Mircea Ciocan <mirceac@interplus.ro>
Cc: Linux Kernel List <linux-kernel@vger.kernel.org>
Subject: Re: Is there something that can be done against this ???
Date: Mon, 13 Aug 2001 21:19:41 +0200	[thread overview]
Message-ID: <20010813211941.C32620@unthought.net> (raw)
In-Reply-To: <E15WK98-0007gd-00@the-village.bc.nu> <3B7822E5.9AE35D4A@interplus.ro>
In-Reply-To: <3B7822E5.9AE35D4A@interplus.ro>; from mirceac@interplus.ro on Mon, Aug 13, 2001 at 09:56:37PM +0300

On Mon, Aug 13, 2001 at 09:56:37PM +0300, Mircea Ciocan wrote:
> 	The attached piece of script kiddie shit is the first one that worked
> flawlessly on my Mandrake box :((( ( kernel 2.4.7ac2, glibc-2.2.3 ),
> instant root access !!!.

Try echo "gotcha" > /etc/passwd

It will fail.

Because you don't have root - it just *looks* like it.

The "malicious" code is:
#include <stdio.h>
#include <stdlib.h>
int getuid() { return(0); }
int geteuid() { return(0); }
int getgid() { return(0); }
int getegid() { return(0); }
int getgroups(int size, int list[]) { list = (int *)malloc(sizeof(int)); return(1); }

The script spawns a new bash using LD_PRELOAD to override the glibc functions
with the above ones.

This does not compromise kernel security in any way what so ever.  Not even
close.  You *may* be able to trick a naive user, but he won't be able to do
anything bad, because he is not root.  Even though he may think he is.  And
even though bash may think it is.

> 	I was stunned, and it seem that is the beginning of a Linux Code Red
> lookalike worm :(((( using that exploit, probably this is not the most
> apropriate place to send this, but I'm not subscribed to the glibc
> mailing list and I just hope that some glibc hackers are on linux kernel
> list also and they see that and do something before we join the ranks of
> M$.
> 
> 		Dead worried,

Don't worry.

> 
> 		Mircea C.
> 
> P.S. Please tell me that I'm just being parnoid and that crap didn't
> work on your systems with a lookalike configuration.

You're just being paranoid and that crap didn't work on your system either  :)

-- 
................................................................
:   jakob@unthought.net   : And I see the elder races,         :
:.........................: putrid forms of man                :
:   Jakob Østergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:

next prev parent reply	other threads:[~2001-08-13 19:19 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-08-13  1:24 S2464 (K7 Thunder) hangs -- some lessons learned Eric S. Raymond
2001-08-13  1:41 ` Paul G. Allen
2001-08-13  5:12   ` Christopher Abbey
2001-08-13 12:34 ` Alan Cox
2001-08-13 15:18   ` Eric S. Raymond
2001-08-13 15:46     ` Alan Cox
2001-08-13 15:52       ` Eric S. Raymond
2001-08-13 16:00         ` Alan Cox
2001-08-13 18:56           ` Is there something that can be done against this ??? Mircea Ciocan
2001-08-13 19:19             ` Jakob Østergaard [this message]
2001-08-13 19:19             ` Ulrich Drepper
2001-08-13 19:20               ` Mircea Ciocan
2001-08-13 19:41                 ` Aaron Lehmann
2001-08-13 19:53                 ` Chris Meadors
2001-08-13 20:09                 ` Admin Mailing Lists
2001-08-13 22:01                 ` Rik van Riel
2001-08-14  8:12                 ` Helge Hafting
2001-08-13 19:24             ` Peter T. Breuer
2001-08-13 19:34               ` Eli Carter
2001-08-13 19:32             ` Ben Collins
2001-08-13 19:48             ` Ronald Jeninga
2001-08-13 20:02             ` Richard B. Johnson
2001-08-14  8:02             ` Henning P. Schmiedehausen
2001-08-14  8:16             ` joseph.bueno
2001-08-14 10:00               ` David Schwartz
2001-08-14 12:42                 ` Helge Hafting
2001-08-14 17:10                   ` David Schwartz
2001-08-14 13:16                 ` joseph.bueno
     [not found]                   ` <9lb8vp$10q$1@ns1.clouddancer.com>
2001-08-14 16:34                     ` Colonel
2001-08-15  9:08                   ` Helge Hafting
2001-08-14 17:47                 ` Scott Wood
2001-08-14 21:27           ` S2464 (K7 Thunder) hangs -- some lessons learned Eric S. Raymond
2001-08-14 22:13             ` Alan Cox
2001-08-14  1:45       ` Paul G. Allen
  -- strict thread matches above, loose matches on Subject: below --
2001-08-13 20:00 Is there something that can be done against this ??? Per Jessen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20010813211941.C32620@unthought.net \
    --to=jakob@unthought.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mirceac@interplus.ro \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox