mailing list archives
Re: systrace silently patches full local bypass vulnerability on Linux
From: stealth <stealth () segfault net>
Date: Mon, 29 Mar 2004 20:10:29 +0000
On Sat, Mar 27, 2004 at 04:01:03PM -0500, spender () grsecurity net wrote:
I am not aware of the things happening beforehand (e.g. the flamewar)
i think I have to comment some parts in this mail.
I wont take part of the flamewar systrace vs. gr or alike,
both parties have excellent programming skills and its sad enough
it always goes this way.
I have been IRCing and mailing with spender regarding
grsecurity and hardening patches for the Linux kernel for quite
a while (> 1 year) now, and we discussed a lot of possible
vulnerabilities in chroot implementations, systrace, LIDS and,
ofcorse, some older versions of grsecurity. I have been writing
a paper regarding such topics for the DIMVA conference.
So far for the background...
attempt to hide an exploitable vulnerability that has been
known in the blackhat community ever since systrace was
released for Linux (almost two years now), Marius and Niels will
instead try to attack my character, misspell my name, claim
that I found the bug by diffing, or anything else that will
take the attention off of this bug. In fact, I know of several
others that have discovered this bug independently, who I hope
will respond to this advisory and give weight to my claim if
Yes, this bug (ptrace-bypass) is known for quite a while, we have discussed
this since ages, and a proof of concept exploit exists.
At least I have written my
own one which reads out /etc/passwd even if it is forbidden. It has
no meaning other than proving that the entry.S code is wrong.
I found the entry.S bug rather trivial and since nobody seemed
to use the Linux port of systrace anyway (and only this has been
tested by me) I put this "exploit" into my dusty box.
There are protection bypass vulnerabilities in:
Indeed. With some minor modifications of the lids-hack.tgz
published years ago its still possible to exploit LIDS, but
I didnt got newer versions of LIDS working (crashes here and there,
and the admin tool produces wrong configs) so I was just pissed
about it and did no further research. I included a short example of
How to bypass LIDS in my DIMVA submission.
There were also recently several scathing comments made by
Russell Coker, an employee of RedHat. Some background info on
Russell: he's from Australia, he's not used to IRC, he can't
name any blackhats off-hand, and somehow he's a (self-titled?)
security expert and wants everyone to use SELinux. I had made
the claim in a channel that the Debian SELinux test box was
owned by stealth due to a configuration error. It turned out
that stealth had not owned the Debian SELinux test box, and
Russell Coker certainly made everyone aware of this. What he
of course failed to mention (and that he was knowledgeable
of, as I was CC'd on the mails) was that stealth did own an
SELinux test machine some time back in Australia due to a
configuration error. My mistake was believing that there was
I was proving a SELinux box to have a wrong configuration
on the ph-neutral conference last year in Berlin. The machine
was a "hackme" box from Tom and everyone could give it a try at that time.
Since the config was broken it was not very difficult to install
trojans etc. I have discussed this with Tom, and there was no problem at all.
It was not in Australia though, but in Berlin, but thats rather unimportant
and I can understand spender if he confuses this a bit after all the
strange stuff going on. The SE box from Russel has pretty good
config and it looks like he knows what he's doing with SE. However,
if a hackme box doesnt get owned, it means nothing of corse.
I hope you will continue your great work on Grsecurity, Brad. Who
cares which hat you wear while doing so?
Full-Disclosure - We believe in it.