Re: [cobalt-security] NEW local exploit

[Gossi The Dog <gossi@xxxxxxxxxxxxxx>]

Yeah - those RPMs are missing the bandwidth kernel module for whatever
reason.  Hopefully they will be compiled sometime soon.  It's not a major
problem, however (I'm not even sure what they're used for, quite
honestly).


On Mon, 16 Apr 2001, Peter Batenburg wrote:

> Hi,
>
> I tried the rpms, and they seem to be working great. The only thing i saw
> in my messages file is:
> Apr 16 12:14:23 xx10 syslogd 1.3-3: restart.
> Apr 16 12:14:24 xx10 insmod: Warning: kernel-module minor version mismatch
> ^I/lib/modules/net/bwmgmt.o was compiled for kernel version 2.2.14$
> Apr 16 12:14:24 xx10 insmod: insmod will continue if kernel interface
> checksums match
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> interruptible_sleep_on_R23da02ba
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> proc_register_R125d240f
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> __wake_up_Re9831108
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> proc_root_R63cab8d9
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> send_sig_Rabce8e99
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> bw_sock_register_mgmt_Rd430d9dc
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> proc_unregister_R7b368f97
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> interruptible_sleep_on_timeout_R1b9a056a
> Apr 16 12:14:24 xx10 insmod: /lib/modules/net/bwmgmt.o: unresolved symbol
> __pollwait_Rf70b5eee
> Did i forget something?
>
> Apr 16 12:14:25 xx10 kernel: klogd 1.3-3, log source = /proc/kmsg started.
> Apr 16 12:14:25 xx10 kernel: Inspecting /boot/System.map
> Apr 16 12:14:25 xx10 kernel: Loaded 7581 symbols from /boot/System.map.
> Apr 16 12:14:25 xx10 kernel: Symbols match kernel version 2.2.16.
> Apr 16 12:14:25 xx10 kernel: Loaded 7 symbols from 1 module.
> Apr 16 12:14:25 xx10 kernel: Linux version 2.2.16C24_III
> (root@xxxxxxxxxxxxxxxxxxx) (gcc version 2.95.2 19991024 (release)) #1 Thu
> Mar 22 21:$
> Apr 16 12:14:25 xx10 kernel: Ignoring bogus EBDA pointer 3ABF000
> Apr 16 12:14:25 xx10 kernel: Detected 298807 kHz processor.
> Apr 16 12:14:25 xx10 kernel: Pending 0x10
> Apr 16 12:14:25 xx10 kernel: Calibrating delay loop... 596.38 BogoMIPS
> Apr 16 12:14:25 xx10 kernel: Memory: 62916k/65536k available (1240k kernel
> code, 412k reserved, 904k data, 64k init)
> Apr 16 12:14:25 xx10 kernel: Dentry hash table entries: 8192 (order 4, 64k)
> Apr 16 12:14:25 xx10 kernel: Buffer cache hash table entries: 65536 (order
> 6, 256k)
> Apr 16 12:14:25 xx10 kernel: Page cache hash table entries: 16384 (order 4,
> 64k)
>
> Its runng great so far.
>
>
> At 10:13 16-4-2001 +0100, you wrote:
>
> >2.2.16C24 includes the security fix, manually edited into the code.
> >
> >You can find the current Cobalt build at;
> >ftp://ftp.cobaltnet.com/pub/users/thockin/kernels/
> >
> >Important disclaimer; apply at own risk.
> >
> >For a RaQ 3, you need to download the following files;
> >
> >kernel-2.2.16C24_III-1.i386.rpm
> >kernel-headers-2.2.16C24_III-1.i386.rpm
> >kernel-reiserfs-utils-2.2.16C24_III-1.i386.rpm
> >kernel-source-2.2.16C24_III-1.i386.rpm
> >
> >I'm not sure on the status of patches for RaQ4's (or older RaQs).
> >
> >Cobalt's FTP server appears to be down (at least, from what I can see), so
> >I've copied the files to;
> >
> >http://owned.lab6.com/~gossi/RaQ-security/files
> >
> >md5sum's of files;
> >
> >cfd397526dbb685df890800315a15d31  kernel-2.2.16C24_III-1.i386.rpm
> >6c828271e54f1ed3b9df3e68a9706df2  kernel-headers-2.2.16C24_III-1.i386.rpm
> >fc691c8fb5b2ddcc211d331d12758e30
> >kernel-reiserfs-utils-2.2.16C24_III-1.i386.rpm
> >c3bf2ebc69845985c74df9392a19798c  kernel-source-2.2.16C24_III-1.i386.rpm
> >
> >Again, to reiterate these aren't final Cobalt patches, and as such you
> >can't get support if applying them kills the RaQ.  Having said that, my
> >RaQ3 has remained stable since applying the RPM.
> >
> >Regards,
> >Gossi The Dog.
> >
> >
> >
> >On Sun, 15 Apr 2001, Peter Batenburg wrote:
> >
> > > The last thing i heard was, that 2.2.19 is not vuln. So i wonder if you got
> > > all the bugs outof 2.2.16.
> > > If you can make that kernel public, i can test it for you on several RaQ's.
> > > In what period would you expect sun having a fix/patch?
> > >
> > > At 16:09 15-4-2001 +0100, you wrote:
> > > >On Sun, 15 Apr 2001, Adam Sculthorpe wrote:
> > > >
> > > > >
> > > > > Have you posted this vulnerability to BUGTRAQ or any other sites?
> > > > >
> > > > > I am happy for you to have discovered a 'nice' new vulnerability but
> > > > without
> > > > > either the source code or a full disclosure of what is happening
> > your post
> > > > > here is pretty useless.
> > > > >
> > > > > Adam
> > > >
> > > >It's a kernel vun.  I won't bother going into much detail, but I've been
> > > >working with Sun on a fix for just over a week now.  owned.lab6.com
> > > >currently runs kernel 2.2.16C24_III - a test kernel - and appears to be
> > > >ok.  It successfully patches the exploit.
> > > >
> > > >I'd expect a patch to be available soon.  It's fairly critical this one is
> > > >properly tested first, as replacing the RaQ kernel is something that could
> > > >go badly wrong if the patch wasn't 100% ok.
> > > >
> > > >I'd just sit tight for now, Sun are working on it.
> > > >
> > > >Regards,
> > > >Gossi.
> > >
> > > _______________________________________________
> > > cobalt-security mailing list
> > > cobalt-security@xxxxxxxxxxxxxxx
> > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>