[ Ivan Dimkovic @ 03.11.2009. 23:14 ] @
Ajoj - jos malo null pointera :)

http://www.theregister.co.uk/2...03/linux_kernel_vulnerability/

Citat:

A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.

The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution, short for Red Hat Enterprise Linux, doesn't properly implement that protection, Brad Spengler, who discovered the bug in mid October, told The Register.

What's more, many administrators are forced to disable the feature so their systems can run developer tools or desktop environments such as Wine.

The vulnerability was first reported by Spengler, a developer at grsecurity, a maker of applications that enhance the security of Linux. On October 22, he wrote a proof of concept attack for the local root exploit. Over the past few months, he has emerged as an outspoken critic of security practices followed by the team responsible for the Linux kernel.


:-)

Mada je i naslov pogresan... nije "last Linux" - vec "svi" osim sledeceg :)

Citat:

Over the past few months, he has emerged as an outspoken critic of security practices followed by the team responsible for the Linux kernel.


Ovaj... kojih "security practices"? "Bazaar opreznost?" :-)


[ mulaz @ 03.11.2009. 23:43 ] @
imho: Local privilige escallation < remote DoS (M$ smb2)
[ Ivan Dimkovic @ 03.11.2009. 23:48 ] @
Super, pretpostavljam kad neki user ima shell na nekom share-ovanom web ili sl... serveru, to je sve OK :-)
[ mulaz @ 03.11.2009. 23:54 ] @
Citat:
The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. But to make RHEL compatible with a larger body of applications, that distribution is vulnerable to attack even when the OS shows the feature is enabled, Spengler said.


znaci, prvo mora da bude RHEL (vise-manje)

drugo, za rhel su vec napravljeni patchi

jos uvek je lakse svim userima namestiti shell na /bin/nologin, popatchati server, i vratiti sve (naravno, web stranice su dostupne sve to vreme), negdo iskljuciti file server sa mreze (potpuno), i cekati da M$ popravi smb2, zato sto moze svako na mrezi da rusi server (a svi znamo kako je recimo na fakultetima i fakultetskim mrezama, gde je par stotina studenata stalno na mrezi, i na kraju nema sanse da se vidi ko je bio kriv, a i niko ne moze da izgubi posao zbog toga, i svima je dosadno :))
[ Ivan Dimkovic @ 03.11.2009. 23:57 ] @
A zasto ti pricas na ovoj temi o MS SMB-u? Imamo posebnu temu za to:

http://www.elitesecurity.org/t...t-Windows-iliti-SMB-gt-OPET-lt <- it to sam je ja postavio

Ne kontam, to sto Windows isto ima rupe treba da cini idiotarije sa null pointerima u Linux kernelu... manjim idiotarijama?

Takodje... osim RHEL-a, pise i:

Citat:

What's more, many administrators are forced to disable the feature so their systems can run developer tools or desktop environments such as Wine.


Doduse, nIje mi bas najjasnije zasto bi Wine trazio ovako nesto...
[ mulaz @ 04.11.2009. 00:03 ] @
Ne razumem ni zasto bi neko na serveru terao wine :)
[ combuster @ 04.11.2009. 00:28 ] @
https://lists.ubuntu.com/archi...tu-devel/2008-July/025774.html

http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

http://www.linuxinsight.com/proc_sys_vm_mmap_min_addr.html

Znaci iskljucivo je u pitanju emulacija 16bit-nih aplikacija koje koristi 0.01% korisnika. I to na serveru? Cmon'...
[ Ivan Dimkovic @ 04.11.2009. 09:27 ] @
Ne zaboravite RHEL :)
[ EArthquake @ 04.11.2009. 09:28 ] @
hehe , cika spender opet :)

on je napisao i mali framework za exploitovanje null ptr deref bugova u linuxu
http://www.grsecurity.net/~spender/enlightenment.tgz
[ Stator @ 04.11.2009. 11:33 ] @
I RH je to zakrpio tako da problema nema.
http://rhn.redhat.com/errata/RHSA-2009-1548.html

Naravno onaj ko je koristio SElinux u enforce modu nema nicega da se plasi od starta.
[ xtraya @ 05.11.2009. 00:30 ] @
Dimkovic
Citat:
Super, pretpostavljam kad neki user ima shell na nekom share-ovanom web ili sl... serveru, to je sve OK :-)



Pfff... da da, sigurno ce da ima kad kupi hosting :)
[ Dundjerski Nemanja @ 05.11.2009. 12:48 ] @
^ Generalno, mozda bi korisnik mogao da pokrene to na neke nacine. Ako ima php, mozda bi mogao da iskoristi neku system, passthrough, exec, fork, popen ili slicnu funkciju? Naravno to izvrsenje zavisi od vise faktora i sigurnosti servera, ali poenta je da ipak nije zanimljivo kada ovakav vulnerability izadje u javnost :-(