Full Disclosure mailing list archives

Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround

From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Thu, 13 Jul 2006 18:34:04 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 7/13/06, lars brun nielsen <lbn () carbon14 dk> wrote:

hi,

setting 750 on /etc/cron.* would stop this exploit


Incorrect.  Did you even try this on ONE vulnerable box?  The
vulnerability exists BECAUSE the kernel doesn't enforce directory
permissions when writing a core dump.

Next time try testing your workarounds, or quoting workarounds from
vendors.  This helps ensure that the advice you give people actually
works.  What you should've suggested is:

a) modifying /proc/sys/kernel/core_pattern to cause coredumps to go to
an absolute location:

echo 0 >/proc/sys/kernel/core_uses_pid
echo /dev/null >/proc/sys/kernel/core_pattern

b) marking the directory used by the exploit immutable:

chattr +i /etc/cron.d

That prevents you from writing to that directory, but can be easily
undone if for some reason you need to:

chattr -i /etc/cron.d

If you actually bothered to read ANY of the vendor advisories on this
issue, you'd know why.  The vulnerability exists because the kernel
DOES NOT VERIFY write permissions to core dump directories.  If your
users actually have write permissions to /etc/cron.d, do the world a
favor and disconnect from the internet as soon as humanly possible.

Thank you.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: New (15 May '06) Key: Fetch from pgp.mit.edu; ID=0x2257C33F

iQIVAwUBRLbSa3XzqEAiV8M/AQq0CQ/+OB2FK0WjVPSbwk3NbnknxOvs0BXpvOc3
rbdtw5Rt+y9OkayPBZrC3h6X0hhGv3+mjWRUuw2fDEDXCb3Yw7fExCT9YfNEqvev
S9M91HYE6uoI1GH9BAYvXbwTncvPAVbTRpup/7tHV4AxNirky5HDv+AHmpM7ZZxo
F0y1UbtNdRT5qaLR8dx+0B09VeYOBK+6tvNUqTRCfQCYs5uJ5jm6Em40PR0CLv5P
Ysv3qOvUds4dbKDsc2x5DBgkLyDreokVv4fv1ri3/w8HAsWeD9rfrFj5I/E4Zmwq
ww5117TCMda5hYmT+RjmQHsl23QPlhEaePuTHLZKXZGW0hqysQd1q6qKy4h9Sc3t
88rY1y1CWST1PXDAXWhnoibuCDqzliKyD5nAF4s+k66sB0y95+O2wtfP8nT9fitp
3fSTNDLF8q9BBI/PILNj7s2cRaYYL//cOjmbsZDUfv72UoJu+/XIbuw6kTD19LPf
sHCqWobmjpPp4EhoDqoqL12AswwlrqZG9N2yqpB0lPDC46QxPKOwhnJnve90b8vp
6/VWfuuS25BYd2avn/9gI38gcZWgS3EYtm5OxFz2ZKuG21ZbhdngJZQ8ojpihe24
Cezeo5Go4tRzM+IWTEP2XG3Ro+X6/UIWCf2T/l6Bn+Befx7VdGv3ALB+q8SIPrTw
7jvIUxlhR2s=
=X3pz
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) Roman Medina-Heigl Hernandez (Jul 11)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) Ariel Biener (Jul 12)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) Ariel Biener (Jul 12)
  - Re: Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) advisory (Jul 12)
  - Re: Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) Jon Hart (Jul 12)
- Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround lars brun nielsen (Jul 13)
  - Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Matthew Murphy (Jul 13)
    - Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Michal Zalewski (Jul 13)
    - Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Matthew Murphy (Jul 13)
    - Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround PERFECT . MATERIAL (Jul 13)
    - Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Kyle Lutze (Jul 13)
    - Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround Jon Hart (Jul 14)