[PCBSD-malaysia] local r00t exploit

Mohd Fazli Azran mfazliazran at gmail.com
Thu Dec 3 19:40:01 PST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yusof Khalid - FreeBSD / OpenBSD wrote:
> sudah ada patch tp blom test lg
> 
> Hi all,
> 
> A short time ago a "local root" exploit was posted to the full-disclosure
> mailing list; as the name suggests, this allows a local user to execute
> arbitrary code as root.
> 
> Normally it is the policy of the FreeBSD Security Team to not publicly
> discuss security issues until an advisory is ready, but in this case
> since exploit code is already widely available I want to make a patch
> available ASAP.  Due to the short timeline, it is possible that this
> patch will not be the final version which is provided when an advisory
> is sent out; it is even possible (although highly doubtful) that this
> patch does not fully fix the issue or introduces new issues -- in short,
> use at your own risk (even more than usual).
> 
> The patch is at
>  http://people.freebsd.org/~cperciva/rtld.patch<http://people.freebsd.org/%7Ecperciva/rtld.patch>
> and has SHA256 hash
>  ffcba0c20335dd83e9ac0d0e920faf
> 5b4aedf366ee5a41f548b95027e3b770c1
> 
> I expect a full security advisory concerning this issue will go out on
> Wednesday December 2nd.

- --
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly
paranoid


2009/12/2 Harisfazillah Jamel <linuxmalaysia at gmail.com>

>> Ya betul :) Apache id kalau dah masuk, masukkan shell dan .... Reset
>> password root dan SSH masuk.
>>
>> 2009/12/2 Yusof Khalid - FreeBSD / OpenBSD <fryshadow at gmail.com>:
>>> kalau web application tu vulnerable and boleh lepas masuk ke server
>> mungkin
>>> parah juga :)
>>>
>>> On Wed, Dec 2, 2009 at 3:07 PM, Harisfazillah Jamel
>>> <linuxmalaysia at gmail.com> wrote:
>>>> Sebab itu penting kita pastikan.
>>>>
>>>> 1) password pengguna mesti kuat supaya lambat untuk kena break dan
>>>> sempatlah kita untuk patch.
>>>> 2) System  akaun atau application akaun shell gunakan /dev/null atau
>>>> /bin/nologin
>>>> 3) Akaun tak guna (dormant) kita buang.
>>>> 4) Nama users kenalah yang pelik-pelik janganlah john mary superman :)
>>>>
>>>> Bug pasti akan ada. Yang penting cepat atau lambat kita patch. :)
>>>>
>>>> On Wed, Dec 2, 2009 at 2:05 PM, Yusof Khalid - FreeBSD / OpenBSD
>>>> <fryshadow at gmail.com> wrote:
>>>>> $ id
>>>>> uid=1002(test) gid=1002(test) groups=1002(test)
>>>>> $ sh exploit.sh
>>>>> env env.c exploit.sh program.c program.o w00t.so.1.0 FreeBSD local
>> r00t
>>>>> zeroday
>>>>> by Kingcope
>>>>> November 2009
>>>>> env.c: In function 'main':
>>>>> env.c:5: warning: incompatible implicit declaration of built-in
>> function
>>>>> 'malloc'
>>>>> env.c:9: warning: incompatible implicit declaration of built-in
>> function
>>>>> 'strcpy'
>>>>> env.c:11: warning: incompatible implicit declaration of built-in
>>>>> function
>>>>> 'execl'
>>>>> cp: /tmp/w00t.so.1.0: Permission denied
>>>>> /libexec/ld-elf.so.1: environment corrupt; missing value for
>>>>> /libexec/ld-elf.so.1: environment corrupt; missing value for
>>>>> /libexec/ld-elf.so.1: environment corrupt; missing value for
>>>>> /libexec/ld-elf.so.1: environment corrupt; missing value for
>>>>> /libexec/ld-elf.so.1: environment corrupt; missing value for
>>>>> ALEX-ALEX
>>>>> # id
>>>>> uid=1002(test) gid=1002(test) euid=0(root) groups=1002(test)
>>>>> # uname -a
>>>>> FreeBSD proxy.opigateway-local.net 7.2-RELEASE FreeBSD 7.2-RELEASE
>> #0:
>>>>> Fri
>>>>> May  1 08:49:13 UTC 2009
>>>>> root at walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>>>>>
>>>>> source : http://seclists.org/fulldisclosure/2009/Nov/371
>>>>>
>>>>> dengar 8.0-Release pn kena juga, sape2 leh test dialu2kan :)
>>>>> --
>>>>> _________________________
>>>>> http://blog.myinfinityx.com
>>>>> _________________________
>>>>>
>>>>> _______________________________________________
>>>>> PCBSD-malaysia mailing list
>>>>> PCBSD-malaysia at lists.pcbsd.org
>>>>> http://lists.pcbsd.org/mailman/listinfo/pcbsd-malaysia
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> My Facebook
>>>> http://www.facebook.com/linuxmalaysia
>>>>
>>>> My Blog
>>>> http://blog.harisfazillah.info/
>>>>
>>>> My Network
>>>> http://linuxdotmy.multiply.com/
>>>> _______________________________________________
>>>> PCBSD-malaysia mailing list
>>>> PCBSD-malaysia at lists.pcbsd.org
>>>> http://lists.pcbsd.org/mailman/listinfo/pcbsd-malaysia
>>>
>>>
>>> --
>>> _________________________
>>> http://blog.myinfinityx.com
>>> _________________________
>>>
>>> _______________________________________________
>>> PCBSD-malaysia mailing list
>>> PCBSD-malaysia at lists.pcbsd.org
>>> http://lists.pcbsd.org/mailman/listinfo/pcbsd-malaysia
>>>
>>>
>>
>>
>> --
>> My Facebook
>> http://www.facebook.com/linuxmalaysia
>>
>> My Blog
>> http://blog.harisfazillah.info/
>>
>> My Network
>> http://linuxdotmy.multiply.com/
>> _______________________________________________
>> PCBSD-malaysia mailing list
>> PCBSD-malaysia at lists.pcbsd.org
>> http://lists.pcbsd.org/mailman/listinfo/pcbsd-malaysia
>>




- ------------------------------------------------------------------------

_______________________________________________
PCBSD-malaysia mailing list
PCBSD-malaysia at lists.pcbsd.org
http://lists.pcbsd.org/mailman/listinfo/pcbsd-malaysia

So far banyak masalah apabila banyak buat attack ssh guna multiple
domain/IP multiple username dan multiple proxy.. So langkah2 yang boleh
diambil dalam sshd_config kita set AllowUsers .. so hanya user yang ada
dalam shell sahaja yang leh login. maybe salah satu cara untuk mengekang
lambakan bruteforce yang sekarang ni banyak berlaku dimana box.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLGISQNF5f3mz2bZkRApJQAJ9DUgyV2NsfU9eNNJnCU98O+TEVXgCgtC95
sOQZJ4yBQRwVCWMWSpUiQHg=
=PnZ4
-----END PGP SIGNATURE-----


More information about the PCBSD-malaysia mailing list