Yes, however if you use the RBAC system you can mitigate the risk of public exploits that (ab)use stupidity of vixie cron to get a root shell.
-Brad
Posted: Wed Jul 12, 2006 10:26 pm
by ralphy
setting core_pattern was suggested as a temporary fix as well.
Posted: Thu Jul 13, 2006 2:38 am
by giany
Yep it seems the core file is created. Probably with a little tune you might get root.
Posted: Thu Jul 13, 2006 9:43 am
by ralphy
As long as the core gets created in a fashion where cron can get to the core dump, pretty sure it's exploitable. echo "/tmp/core" > /proc/sys/kernel/core_pattern is a cheap work around
Posted: Thu Jul 13, 2006 10:58 am
by chainsaw
or just :
echo > /proc/sys/kernel/core_pattern
seems to work for me
Posted: Thu Jul 13, 2006 11:07 am
by chainsaw
i have one 2.6.14.6-grsec machine, which now
seems to be protected after echo > core_pattern
but before that it was creating the suid shell, but when
i execute it as ordinary user i'm not getting privilege escalation.
maybe grsec after all does something?
i have similar machine without grsec and there running the suid binary gives me root instantly
Posted: Thu Jul 13, 2006 6:24 pm
by ralphy
Just sh dropping privleges. Some distros tend to do it by default now such as Fedora iirc, easily circumventible with the "-p" flag. /tmp/sh -p will leverage root, on one of our production boxes we set the filesystems up to nosuid and readonly as well as setting core_pattern (just in case ) until we can install the patch.
Posted: Sat Jul 15, 2006 2:48 am
by ralphy
mount -o remount,nosuid /proc
nice workaround for the new kernel vulnerability, if indeed grsec 2.6 kernels are effected don't have a 2.6 grsec enabled kernel so i can't test unfortunately, just thought it'd be helpful to those effected, if at all.