| |||||||||||||
|
| |||||||||||||
Lots more kernel releasesLots more kernel releasesPosted Jul 16, 2006 3:48 UTC (Sun) by afalko (subscriber, #37028)In reply to: Lots more kernel releases by NightMonkey Parent article: Lots more kernel releases
2.6.16.25 and 2.6.17.5: http://lwn.net/Articles/191486/
(Log in to post comments)
Lots more kernel releases Posted Jul 16, 2006 4:19 UTC (Sun) by NightMonkey (subscriber, #23051) [Link] Hrm.... Did that version introduce it, or just fix it?
Lots more kernel releases Posted Jul 16, 2006 4:24 UTC (Sun) by NightMonkey (subscriber, #23051) [Link] Ah, sorry, answered my own question. From the CVE at http://www.frsirt.com/english/advisories/2006/2816:
'Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to obtain elevated privileges. This flaw is due to a race condition in "fs/proc/base.c", which could be exploited by malicious users to execute arbitrary commands with "root" privileges.
Note : A fully functional exploit has been released.
Affected Products
Linux Kernel version 2.6.17.4 and prior
Yikes! This is a big problem.
Workaround: remount /proc nosuid,noexec Posted Jul 16, 2006 9:43 UTC (Sun) by Duncan (guest, #6647) [Link] On the Gentoo-devel list, which I follow as I run Gentoo and want to get aheads-up on things coming down the pike, one of the kernel guys said it wouldn't affect anyone who has /proc mounted nosuid,noexec. A bit of testing later and they hadn't found any reason /not/ to do so (there was speculation about a couple things but it turned out they worked fine anyway), and I've been running that way for several hours, now, tho I did update the kernel and it happened to be convenient to reboot at the time so I did.
For anyone depending on the local security, I'd still recommend
Duncan
Workaround: remount /proc nosuid,noexec Posted Jul 16, 2006 21:36 UTC (Sun) by NightMonkey (subscriber, #23051) [Link] Perhaps not even a reboot is neeeded? I just did this:
mount -o remount,nosuid,noexec /proc
Then, "mount" shows:
proc on /proc type proc (rw,noexec,nosuid)
Any drawbacks?
Workaround: remount /proc nosuid,noexec Posted Jul 16, 2006 23:36 UTC (Sun) by Los__D (subscriber, #15263) [Link] That was exactly what he said: "but doing a /proc remount nosuid,noexec might be a useful workaround for those who find it inconvenient to reboot ATM" :)
Workaround: remount /proc nosuid,noexec Posted Jul 16, 2006 23:43 UTC (Sun) by NightMonkey (subscriber, #23051) [Link] Your right. And I HAD my coffee. Uh oh.
Workaround: remount /proc nosuid,noexec Posted Jul 17, 2006 16:14 UTC (Mon) by djrom (subscriber, #26074) [Link] As usual, when someone suggests "noexec" for solving a security problem, it's not really a solution. It can't harm to do it anyway, but it's pretty easy to bypass. Just replace "/proc/executable" by "/lib/ld-linux.so.2 /proc/executable" and the exploit will work without a glitch.
Nope Posted Jul 17, 2006 21:05 UTC (Mon) by JoeBuck (subscriber, #2330) [Link] The exploit evidently is blocked if /proc is mounted nosuid. noexec has no effect.
Nope Posted Jul 17, 2006 23:10 UTC (Mon) by djrom (subscriber, #26074) [Link] Oops, I didn't checked for this precise exploit. I still think it's good to have it reminded as a general information on the usefulness of noexec mount option, but I stand corrected about for the exploit we were talking about :)
|
|
||||||||||||