[Tfug] Kernel Exploit NOT Debian-specific

Harry McGregor micros at osef.org
Mon Dec 1 16:18:50 MST 2003


Sorta.

Userland means that the exploit had to be run from an userland process,
most likely a ssh shell connection.

It looks like the issue was a compromised ssh key, which permited
standard, userlevel access to one of the systems.

This kernel upgrade is especially important for anyone running a shell
server on linux, or who has users that have shell permissions of any
sort.

Luckly, most of my servers, outside of USGS, don't have users that
understand this at all, and a lot of the accounts done have a shell
defined.  Of course I am still working on kernel upgrades...

			Harry

On Mon, 2003-12-01 at 15:55, Jon wrote:
> So I'm assuming that "userland" implies it was an inside job.
> Good stuff, Maynard.
> 
> Jon
> 
> 
> On Mon, 1 Dec 2003, Angus Scott-Fleming wrote:
> 
> > Lots of folks here running Debian ... and other distros ...
> >
> > Developers: Kernel Exploit Cause Of Debian Compromise
> >  Posted by simoniker on 14:40 Monday 01 December 2003
> >  from the slightly-disturbing dept.
> >
> >   mbanck writes "The cause of the recent Debian Project
> >   server compromise has been published by the Debian
> >   security team: 'Forensics revealed a burneye encrypted
> >   exploit. Robert van der Meulen managed to decrypt the
> >   binary which revealed a kernel exploit. Study of the
> >   exploit by the RedHat and SuSE kernel and security teams
> >   quickly revealed that the exploit used an integer
> >   overflow in the brk system call. Using this bug it is
> >   possible for a userland program to trick the kernel into
> >   giving access to the full kernel address space'. This
> >   issue has been fixed in 2.4.23. Thus, the Linux kernel
> >   compromise was not Debian specific."
> >
> > http://developers.slashdot.org/article.pl?sid=03/12/01/2133249
> >
> > --
> > Angus Scott-Fleming
> > GeoApps, Tucson, Arizona
> > http://www.geoapps.com/
> > ---------------------------------------------------------
> >
> >
> > _______________________________________________
> > tfug mailing list
> > tfug at tfug.org
> > http://www.tfug.org/mailman/listinfo/tfug
> >
> >
> 
> _______________________________________________
> tfug mailing list
> tfug at tfug.org
> http://www.tfug.org/mailman/listinfo/tfug
-- 
--
Harry McGregor, CEO, Co-Founder
Hmcgregor at osef.org, (520) 661-7875 (CELL)
Open Source Education Foundation, http://www.osef.org
A non-profit tax exempt charitable organization



More information about the tfug mailing list