Full Disclosure mailing list archives

Re: ptrace exploit workaround

From: Jose Carlos Luna Duran <luna () aditel org>
Date: Wed, 19 Mar 2003 08:42:47 +0100

En Tue Mar 18, 2003 at 11:57:25PM +0100, Juraj Bednar <juraj () bednar sk> escribio:

Hi,


    while waiting for kernel compilations from Debian (and while waiting
    for my kernel compilations to finish), I coded a single module,
    which acts as a workaround for one particular exploit I found in one
    user's homedirectory. 

    Disclaimer:

      1.) I don't guarantee, that it will protect you from other
      exploits (it won't).

      2.) I guarantee, it won't break anything (actually it will break
      some occassional ptrace situations, but for simple gdb and stuff,
      this is ok).

      3.) I don't guarantee it will work. It may freeze your machine.
      YMMV. 

      4.) I'm not a linux kernel module coder. If you'll come with
      something better, drop me a note.

      5.) Against this exploit, simple chmod 700 /proc would suffice
      (since it wants to open /proc/self/exe). This is somehow cleaner.


Hi Juraj, that exploit that you mention about is publicly available
on a very well known site (hack.co.za). So, full-disclosure readers
may want to take a look at it.

From my point of view protecting the /proc will do nothing, you can

rewrite that exploit without reading proc in a matter of seconds, it 
reads it only for the sake of obtaining the complete path of the exploit 
cause its shellcode payload will do a chown & chmod afterwards on it.
In the linux-kernel list there was a post on this subject on monday
it also displays an alternative patch for 2.4.20 / 21pre:

http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html


      6.) It should unload correctly, if it won't freeze your system
      (see point 3:).

    Anyways, as a simple workaround, it works for me, so I thought I'll
    post it, it may help you overcome this ugly time.

    Compilation instruction in source comment.


     J.



-- 
Juraj Bednar
http://www.jurajbednar.com/
http://juraj.bednar.sk/


Best regards, 

-- 
Jose Carlos Luna Duran  @ UJI
luna () aditel org / Jose.Carlos.Luna () cern ch
Office Tel. +41 22 76 71880

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

ptrace exploit workaround Juraj Bednar (Mar 18)
- Re: ptrace exploit workaround Juraj Bednar (Mar 18)
- Re: ptrace exploit workaround Jose Carlos Luna Duran (Mar 18)