Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: systrace silently patches full local bypass vulnerability on Linux
From: stealth <stealth () segfault net>
Date: Mon, 29 Mar 2004 20:10:29 +0000

On Sat, Mar 27, 2004 at 04:01:03PM -0500, spender () grsecurity net wrote:


I am not aware of the things happening beforehand (e.g. the flamewar)
i think I have to comment some parts in this mail.

I wont take part of the flamewar systrace vs. gr or alike,
both parties have excellent programming skills and its sad enough
it always goes this way.

I have been IRCing and mailing with spender regarding
grsecurity and hardening patches for the Linux kernel for quite
a while (> 1 year) now, and we discussed a lot of possible
vulnerabilities in chroot implementations, systrace, LIDS and,
ofcorse, some older versions of grsecurity. I have been writing
a paper regarding such topics for the DIMVA conference.
So far for the background...

      attempt to hide an exploitable vulnerability that has been 
      known in the blackhat community ever since systrace was 
      released for Linux (almost two years now), Marius and Niels will 
      instead try to attack my character, misspell my name, claim 
      that I found the bug by diffing, or anything else that will 
      take the attention off of this bug.  In fact, I know of several
      others that have discovered this bug independently, who I hope 
      will respond to this advisory and give weight to my claim if 
Yes, this bug (ptrace-bypass) is known for quite a while, we have discussed
this since ages, and a proof of concept exploit exists.
At least I have written my
own one which reads out /etc/passwd even if it is forbidden. It has
no meaning other than proving that the entry.S code is wrong.
I found the entry.S bug rather trivial and since nobody seemed
to use the Linux port of systrace anyway (and only this has been
tested by me) I put this "exploit" into my dusty box.

      There are protection bypass vulnerabilities in:
Indeed. With some minor modifications of the lids-hack.tgz
published years ago its still possible to exploit LIDS, but
I didnt got newer versions of LIDS working (crashes here and there,
and the admin tool produces wrong configs) so I was just pissed
about it and did no further research. I included a short example of
How to bypass LIDS in my DIMVA submission.

      There were also recently several scathing comments made by 
      Russell Coker, an employee of RedHat.  Some background info on 
      Russell: he's from Australia, he's not used to IRC, he can't 
      name any blackhats off-hand, and somehow he's a (self-titled?) 
      security expert and wants everyone to use SELinux.  I had made 
      the claim in a channel that the Debian SELinux test box was 
      owned by stealth due to a configuration error.  It turned out 
      that stealth had not owned the Debian SELinux test box, and 
      Russell Coker certainly made everyone aware of this.  What he 
      of course failed to mention (and that he was knowledgeable 
      of, as I was CC'd on the mails) was that stealth did own an 
      SELinux test machine some time back in Australia due to a 
      configuration error.  My mistake was believing that there was 
I was proving a SELinux box to have a wrong configuration
on the ph-neutral conference last year in Berlin. The machine
was a "hackme" box from Tom and everyone could give it a try at that time.
Since the config was broken it was not very difficult to install
trojans etc. I have discussed this with Tom, and there was no problem at all.
It was not in Australia though, but in Berlin, but thats rather unimportant
and I can understand spender if he confuses this a bit after all the
strange stuff going on. The SE box from Russel has pretty good
config and it looks like he knows what he's doing with SE. However,
if a hackme box doesnt get owned, it means nothing of corse.

I hope you will continue your great work on Grsecurity, Brad. Who
cares which hat you wear while doing so?


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]