Debian attacker may have used new exploit
joehill-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org
Tue Dec 2 11:31:52 UTC 2003
On Mon, 1 Dec 2003 06:28:24 -0500
JoeHill <joehill-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org> wrote:
> "Initial investigations of the security breach, which occurred on 19 November,
> indicate that the attacker was able to gain full control of Debian servers
> logging on via unprivileged accounts, known as privilege escalation, according
> to James Troup, part of the team handling Debian's distribution."
"Recently multiple servers of the Debian project were compromised using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed to
decrypt the binary which revealed a kernel exploit. Study of the exploit
by the RedHat and SuSE kernel and security teams quickly revealed that
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel into
giving access to the full kernel address space. This problem was found
in September by Andrew Morton, but unfortunately that was too late for
the 2.4.22 kernel release.
This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and
2.6.0-test6 kernel tree. For Debian it has been fixed in version
2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386
kernel images and version 2.4.18-11 of the alpha kernel images."
Also covered in MDKSA-2003:110:
"A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can
allow a local attacker to gain root privileges. This vulnerability is
known to be exploitable; an exploit is in the wild at this time.
The Mandrake Linux 9.2 kernels are not vulnerable to this problem as
the fix for it is already present in those kernels.
MandrakeSoft encourages all users to upgrade their systems immediately."
What confuses me, is that my default install of MDK 9.2 shows kernel version:
But MDK says 9.2 is safe.
Can someone clarify this for me?
JoeHill ++ ICQ # 280779813
Registered Linux user #282046
"There are three side effects of acid: enhanced long-term memory, decreased
short-term memory, and I forget the third."-- Timothy Leary
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy