[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] NEW local exploit

Subject: Re: [cobalt-security] NEW local exploit
From: Peter Batenburg <peter@xxxxxxxxxx>
Date: Mon, 16 Apr 2001 12:21:30 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi,

I tried the rpms, and they seem to be working great. The only thing i sawin my messages file is:

Apr 16 12:14:23 xx10 syslogd 1.3-3: restart.

Apr 16 12:14:24 xx10 insmod: Warning: kernel-module minor version mismatch^I/lib/modules/net/bwmgmt.o was compiled for kernel version 2.2.14$Apr 16 12:14:24 xx10 insmod: insmod will continue if kernel interfacechecksums matchApr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbolinterruptible_sleep_on_R23da02baApr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbolproc_register_R125d240fApr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol__wake_up_Re9831108Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbolproc_root_R63cab8d9Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbolsend_sig_Rabce8e99Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbolbw_sock_register_mgmt_Rd430d9dcApr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbolproc_unregister_R7b368f97Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbolinterruptible_sleep_on_timeout_R1b9a056aApr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol__pollwait_Rf70b5eee

Did i forget something?

Apr 16 12:14:25 xx10 kernel: klogd 1.3-3, log source = /proc/kmsg started.
Apr 16 12:14:25 xx10 kernel: Inspecting /boot/System.map
Apr 16 12:14:25 xx10 kernel: Loaded 7581 symbols from /boot/System.map.
Apr 16 12:14:25 xx10 kernel: Symbols match kernel version 2.2.16.
Apr 16 12:14:25 xx10 kernel: Loaded 7 symbols from 1 module.

Apr 16 12:14:25 xx10 kernel: Linux version 2.2.16C24_III(root@xxxxxxxxxxxxxxxxxxx) (gcc version 2.95.2 19991024 (release)) #1 ThuMar 22 21:$

Apr 16 12:14:25 xx10 kernel: Ignoring bogus EBDA pointer 3ABF000
Apr 16 12:14:25 xx10 kernel: Detected 298807 kHz processor.
Apr 16 12:14:25 xx10 kernel: Pending 0x10
Apr 16 12:14:25 xx10 kernel: Calibrating delay loop... 596.38 BogoMIPS

Apr 16 12:14:25 xx10 kernel: Memory: 62916k/65536k available (1240k kernelcode, 412k reserved, 904k data, 64k init)

Apr 16 12:14:25 xx10 kernel: Dentry hash table entries: 8192 (order 4, 64k)

Apr 16 12:14:25 xx10 kernel: Buffer cache hash table entries: 65536 (order6, 256k)Apr 16 12:14:25 xx10 kernel: Page cache hash table entries: 16384 (order 4,64k)


Its runng great so far.


At 10:13 16-4-2001 +0100, you wrote:

2.2.16C24 includes the security fix, manually edited into the code.

You can find the current Cobalt build at;
ftp://ftp.cobaltnet.com/pub/users/thockin/kernels/

Important disclaimer; apply at own risk.

For a RaQ 3, you need to download the following files;

kernel-2.2.16C24_III-1.i386.rpm
kernel-headers-2.2.16C24_III-1.i386.rpm
kernel-reiserfs-utils-2.2.16C24_III-1.i386.rpm
kernel-source-2.2.16C24_III-1.i386.rpm

I'm not sure on the status of patches for RaQ4's (or older RaQs).

Cobalt's FTP server appears to be down (at least, from what I can see), so
I've copied the files to;

http://owned.lab6.com/~gossi/RaQ-security/files

md5sum's of files;

cfd397526dbb685df890800315a15d31  kernel-2.2.16C24_III-1.i386.rpm
6c828271e54f1ed3b9df3e68a9706df2  kernel-headers-2.2.16C24_III-1.i386.rpm
fc691c8fb5b2ddcc211d331d12758e30
kernel-reiserfs-utils-2.2.16C24_III-1.i386.rpm
c3bf2ebc69845985c74df9392a19798c  kernel-source-2.2.16C24_III-1.i386.rpm

Again, to reiterate these aren't final Cobalt patches, and as such you
can't get support if applying them kills the RaQ.  Having said that, my
RaQ3 has remained stable since applying the RPM.

Regards,
Gossi The Dog.



On Sun, 15 Apr 2001, Peter Batenburg wrote:

> The last thing i heard was, that 2.2.19 is not vuln. So i wonder if you got
> all the bugs outof 2.2.16.
> If you can make that kernel public, i can test it for you on several RaQ's.
> In what period would you expect sun having a fix/patch?
>
> At 16:09 15-4-2001 +0100, you wrote:
> >On Sun, 15 Apr 2001, Adam Sculthorpe wrote:
> >
> > >
> > > Have you posted this vulnerability to BUGTRAQ or any other sites?
> > >
> > > I am happy for you to have discovered a 'nice' new vulnerability but
> > without

> > > either the source code or a full disclosure of what is happeningyour post

> > > here is pretty useless.
> > >
> > > Adam
> >
> >It's a kernel vun.  I won't bother going into much detail, but I've been
> >working with Sun on a fix for just over a week now.  owned.lab6.com
> >currently runs kernel 2.2.16C24_III - a test kernel - and appears to be
> >ok.  It successfully patches the exploit.
> >
> >I'd expect a patch to be available soon.  It's fairly critical this one is
> >properly tested first, as replacing the RaQ kernel is something that could
> >go badly wrong if the patch wasn't 100% ok.
> >
> >I'd just sit tight for now, Sun are working on it.
> >
> >Regards,
> >Gossi.
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] NEW local exploit
  - From: Gossi The Dog

References:
- Re: [cobalt-security] NEW local exploit
  - From: Peter Batenburg
- Re: [cobalt-security] NEW local exploit
  - From: Gossi The Dog

Prev by Date: Re: [cobalt-security] NEW local exploit
Next by Date: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
Previous by thread: Re: [cobalt-security] NEW local exploit
Next by thread: Re: [cobalt-security] NEW local exploit

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index