Page 1 of 1

prctl kernel exploit

PostPosted: Wed Jul 12, 2006 4:15 pm
by giany
Hello,

Is grsec 2.6.14 affected by this : http://www.securityfocus.com/bid/18874 ?

PostPosted: Wed Jul 12, 2006 6:36 pm
by spender
Yes, however if you use the RBAC system you can mitigate the risk of public exploits that (ab)use stupidity of vixie cron to get a root shell.

-Brad

PostPosted: Wed Jul 12, 2006 10:26 pm
by ralphy
setting core_pattern was suggested as a temporary fix as well.

PostPosted: Thu Jul 13, 2006 2:38 am
by giany
Yep it seems the core file is created. Probably with a little tune you might get root.

PostPosted: Thu Jul 13, 2006 9:43 am
by ralphy
As long as the core gets created in a fashion where cron can get to the core dump, pretty sure it's exploitable. echo "/tmp/core" > /proc/sys/kernel/core_pattern is a cheap work around

PostPosted: Thu Jul 13, 2006 10:58 am
by chainsaw
or just :

echo > /proc/sys/kernel/core_pattern

seems to work for me

PostPosted: Thu Jul 13, 2006 11:07 am
by chainsaw
i have one 2.6.14.6-grsec machine, which now
seems to be protected after echo > core_pattern

but before that it was creating the suid shell, but when
i execute it as ordinary user i'm not getting privilege escalation.
maybe grsec after all does something?
i have similar machine without grsec and there running the suid binary gives me root instantly

PostPosted: Thu Jul 13, 2006 6:24 pm
by ralphy
Just sh dropping privleges. Some distros tend to do it by default now such as Fedora iirc, easily circumventible with the "-p" flag. /tmp/sh -p will leverage root, on one of our production boxes we set the filesystems up to nosuid and readonly as well as setting core_pattern (just in case :)) until we can install the patch.

PostPosted: Sat Jul 15, 2006 2:48 am
by ralphy
mount -o remount,nosuid /proc

nice workaround for the new kernel vulnerability, if indeed grsec 2.6 kernels are effected :) don't have a 2.6 grsec enabled kernel so i can't test unfortunately, just thought it'd be helpful to those effected, if at all.