Full Disclosure mailing list archives
Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Fri, 14 Jul 2006 01:58:01 +0200 (CEST)
On Thu, 13 Jul 2006, Matthew Murphy wrote:
setting 750 on /etc/cron.* would stop this exploitIncorrect. Did you even try this on ONE vulnerable box? The vulnerability exists BECAUSE the kernel doesn't enforce directory permissions when writing a core dump.
You cannot chdir to (or access a file within) a directory to which you have no 'execute' permission. Cores are dumped in the current working directory of a process. You cannot make /etc/cron.* your working directory unless the aforementioned permission is given to you. The exploit works by doing a chdir to that directory as an user; if the directory is not accessible, this will fail, and the core will be dumped in elsewhere. The vulnerability still probably can be exploited by other means (mail subsystem? logrotate? etc), but that probably pretty much solves the crond vector.
If your users actually have write permissions to /etc/cron.d, do the world a favor and disconnect from the internet as soon as humanly possible.
You seem to be confused. Most systems do have a+rx permissions to /etc/cron.* directories, and that most certainly helps with that exploit. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) Roman Medina-Heigl Hernandez (Jul 11)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) Ariel Biener (Jul 12)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) Ariel Biener (Jul 12)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround lars brun nielsen (Jul 13)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Matthew Murphy (Jul 13)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Michal Zalewski (Jul 13)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Matthew Murphy (Jul 13)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround PERFECT . MATERIAL (Jul 13)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Kyle Lutze (Jul 13)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Jon Hart (Jul 14)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Matthew Murphy (Jul 13)