[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] NEW local exploit
- Subject: Re: [cobalt-security] NEW local exploit
- From: Peter Batenburg <peter@xxxxxxxxxx>
- Date: Mon, 16 Apr 2001 12:21:30 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
I tried the rpms, and they seem to be working great. The only thing i saw
in my messages file is:
Apr 16 12:14:23 xx10 syslogd 1.3-3: restart.
Apr 16 12:14:24 xx10 insmod: Warning: kernel-module minor version mismatch
^I/lib/modules/net/bwmgmt.o was compiled for kernel version 2.2.14$
Apr 16 12:14:24 xx10 insmod: insmod will continue if kernel interface
checksums match
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
interruptible_sleep_on_R23da02ba
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
proc_register_R125d240f
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
__wake_up_Re9831108
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
proc_root_R63cab8d9
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
send_sig_Rabce8e99
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
bw_sock_register_mgmt_Rd430d9dc
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
proc_unregister_R7b368f97
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
interruptible_sleep_on_timeout_R1b9a056a
Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
__pollwait_Rf70b5eee
Did i forget something?
Apr 16 12:14:25 xx10 kernel: klogd 1.3-3, log source = /proc/kmsg started.
Apr 16 12:14:25 xx10 kernel: Inspecting /boot/System.map
Apr 16 12:14:25 xx10 kernel: Loaded 7581 symbols from /boot/System.map.
Apr 16 12:14:25 xx10 kernel: Symbols match kernel version 2.2.16.
Apr 16 12:14:25 xx10 kernel: Loaded 7 symbols from 1 module.
Apr 16 12:14:25 xx10 kernel: Linux version 2.2.16C24_III
(root@xxxxxxxxxxxxxxxxxxx) (gcc version 2.95.2 19991024 (release)) #1 Thu
Mar 22 21:$
Apr 16 12:14:25 xx10 kernel: Ignoring bogus EBDA pointer 3ABF000
Apr 16 12:14:25 xx10 kernel: Detected 298807 kHz processor.
Apr 16 12:14:25 xx10 kernel: Pending 0x10
Apr 16 12:14:25 xx10 kernel: Calibrating delay loop... 596.38 BogoMIPS
Apr 16 12:14:25 xx10 kernel: Memory: 62916k/65536k available (1240k kernel
code, 412k reserved, 904k data, 64k init)
Apr 16 12:14:25 xx10 kernel: Dentry hash table entries: 8192 (order 4, 64k)
Apr 16 12:14:25 xx10 kernel: Buffer cache hash table entries: 65536 (order
6, 256k)
Apr 16 12:14:25 xx10 kernel: Page cache hash table entries: 16384 (order 4,
64k)
Its runng great so far.
At 10:13 16-4-2001 +0100, you wrote:
2.2.16C24 includes the security fix, manually edited into the code.
You can find the current Cobalt build at;
ftp://ftp.cobaltnet.com/pub/users/thockin/kernels/
Important disclaimer; apply at own risk.
For a RaQ 3, you need to download the following files;
kernel-2.2.16C24_III-1.i386.rpm
kernel-headers-2.2.16C24_III-1.i386.rpm
kernel-reiserfs-utils-2.2.16C24_III-1.i386.rpm
kernel-source-2.2.16C24_III-1.i386.rpm
I'm not sure on the status of patches for RaQ4's (or older RaQs).
Cobalt's FTP server appears to be down (at least, from what I can see), so
I've copied the files to;
http://owned.lab6.com/~gossi/RaQ-security/files
md5sum's of files;
cfd397526dbb685df890800315a15d31 kernel-2.2.16C24_III-1.i386.rpm
6c828271e54f1ed3b9df3e68a9706df2 kernel-headers-2.2.16C24_III-1.i386.rpm
fc691c8fb5b2ddcc211d331d12758e30
kernel-reiserfs-utils-2.2.16C24_III-1.i386.rpm
c3bf2ebc69845985c74df9392a19798c kernel-source-2.2.16C24_III-1.i386.rpm
Again, to reiterate these aren't final Cobalt patches, and as such you
can't get support if applying them kills the RaQ. Having said that, my
RaQ3 has remained stable since applying the RPM.
Regards,
Gossi The Dog.
On Sun, 15 Apr 2001, Peter Batenburg wrote:
> The last thing i heard was, that 2.2.19 is not vuln. So i wonder if you got
> all the bugs outof 2.2.16.
> If you can make that kernel public, i can test it for you on several RaQ's.
> In what period would you expect sun having a fix/patch?
>
> At 16:09 15-4-2001 +0100, you wrote:
> >On Sun, 15 Apr 2001, Adam Sculthorpe wrote:
> >
> > >
> > > Have you posted this vulnerability to BUGTRAQ or any other sites?
> > >
> > > I am happy for you to have discovered a 'nice' new vulnerability but
> > without
> > > either the source code or a full disclosure of what is happening
your post
> > > here is pretty useless.
> > >
> > > Adam
> >
> >It's a kernel vun. I won't bother going into much detail, but I've been
> >working with Sun on a fix for just over a week now. owned.lab6.com
> >currently runs kernel 2.2.16C24_III - a test kernel - and appears to be
> >ok. It successfully patches the exploit.
> >
> >I'd expect a patch to be available soon. It's fairly critical this one is
> >properly tested first, as replacing the RaQ kernel is something that could
> >go badly wrong if the patch wasn't 100% ok.
> >
> >I'd just sit tight for now, Sun are working on it.
> >
> >Regards,
> >Gossi.
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security