grsecurity forums

[giany]

Hello,

Is grsec 2.6.14 affected by this : http://www.securityfocus.com/bid/18874 ?

[spender]

Yes, however if you use the RBAC system you can mitigate the risk of public exploits that (ab)use stupidity of vixie cron to get a root shell.

-Brad

[ralphy]

setting core_pattern was suggested as a temporary fix as well.

[giany]

Yep it seems the core file is created. Probably with a little tune you might get root.

[ralphy]

As long as the core gets created in a fashion where cron can get to the core dump, pretty sure it's exploitable. echo "/tmp/core" > /proc/sys/kernel/core_pattern is a cheap work around

[chainsaw]

or just :

echo > /proc/sys/kernel/core_pattern

seems to work for me

[chainsaw]

i have one 2.6.14.6-grsec machine, which now
seems to be protected after echo > core_pattern

but before that it was creating the suid shell, but when
i execute it as ordinary user i'm not getting privilege escalation.
maybe grsec after all does something?
i have similar machine without grsec and there running the suid binary gives me root instantly

[ralphy]

Just sh dropping privleges. Some distros tend to do it by default now such as Fedora iirc, easily circumventible with the "-p" flag. /tmp/sh -p will leverage root, on one of our production boxes we set the filesystems up to nosuid and readonly as well as setting core_pattern (just in case ) until we can install the patch.

[ralphy]

mount -o remount,nosuid /proc

nice workaround for the new kernel vulnerability, if indeed grsec 2.6 kernels are effected don't have a 2.6 grsec enabled kernel so i can't test unfortunately, just thought it'd be helpful to those effected, if at all.