From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vod@elecom.ru>
Message-ID: <44BF56D9.2030809@elecom.ru>
Date: Thu, 20 Jul 2006 03:11:37 -0700
From: Dmitry Vodennikov <vod@elecom.ru>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
References: <20060713094416.GQ26570@osdn.org.ua>
	<20060713095034.GA23205@immo.ru>
In-Reply-To: <20060713095034.GA23205@immo.ru>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [Sysadmins] Fwd: Linux Kernel 2.6.x PRCTL Core Dump Handling
 -	Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
X-BeenThere: sysadmins@lists.altlinux.org
X-Mailman-Version: 2.1.7
Precedence: list
Reply-To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
List-Id: ALT Linux sysadmin discuss <sysadmins.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/sysadmins>
List-Post: <mailto:sysadmins@lists.altlinux.org>
List-Help: <mailto:sysadmins-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2006 10:11:50 -0000
Archived-At: <http://lore.altlinux.org/sysadmins/44BF56D9.2030809@elecom.ru/>
List-Archive: <http://lore.altlinux.org/sysadmins/>

Alexey I. Froloff пишет:
> * Michael Shigorin <mike@> [060713 13:45]:
>> Напоминаю тем, у кого linux-2.6 на серверах, что в 2.6.13 до
>> 2.6.17.4 или 2.6.16.24 может быть незаткнут local root и 
>> эксплойт уже опубликован.
> 
>>         chdir("/etc/cron.d");
> Вот тут оно благополучно хватает -EPERM и отваливаеццо.

Видимо у кого как. У меня на compact шелл получается (при условии 
умолчательных опций монтирования /tmp), по почему-то не рутовый.
---------------------------------------------------
[vod@rs tmp]$ ./rs_prctl_kernel
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]

[*] Creating Cron entry
[*] Sleeping for aprox. one minute (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...

sh-2.05b$ id
uid=500(vod) gid=500(vod) 
groups=10(wheel),19(proc),22(cdrom),36(camera),37(scanner),71(floppy),80(cdwriter),81(audio),83(radio),106(xgrp),500(vod)

sh-2.05b$ less /var/log/messages
/var/log/messages: Permission denied

sh-2.05b$ uname -r
2.6.12-vs26-smp-alt10

sh-2.05b$ ls -ld /etc/cron*
drwxr-x---  2 root root    4096 Jul 20 15:53 /etc/cron.d
drwxr-x---  2 root root    4096 Jul 11 14:45 /etc/cron.daily
-rw-r-----  1 root crontab    0 Dec 19  2004 /etc/cron.deny
drwxr-x---  2 root root    4096 Jul 11 05:31 /etc/cron.hourly
drwxr-x---  2 root root    4096 Jul 11 02:51 /etc/cron.monthly
drwxr-x---  2 root root    4096 Jul 11 14:44 /etc/cron.weekly
-rw-------  1 root root     184 Apr 25  2003 /etc/crontab
-rw-r--r--  1 root root     167 Apr 26  2003 /etc/crontab.template

---------------------------------------------------