Re: systrace silently patches full local bypass vulnerability on Linux
On Sat, Mar 27, 2004 at 04:01:03PM -0500, spender@xxxxxxxxxxxxxx wrote:
Hi,
I am not aware of the things happening beforehand (e.g. the flamewar)
i think I have to comment some parts in this mail.
I wont take part of the flamewar systrace vs. gr or alike,
both parties have excellent programming skills and its sad enough
it always goes this way.
I have been IRCing and mailing with spender regarding
grsecurity and hardening patches for the Linux kernel for quite
a while (> 1 year) now, and we discussed a lot of possible
vulnerabilities in chroot implementations, systrace, LIDS and,
ofcorse, some older versions of grsecurity. I have been writing
a paper regarding such topics for the DIMVA conference.
So far for the background...
[...]
> attempt to hide an exploitable vulnerability that has been
> known in the blackhat community ever since systrace was
> released for Linux (almost two years now), Marius and Niels will
> instead try to attack my character, misspell my name, claim
> that I found the bug by diffing, or anything else that will
> take the attention off of this bug. In fact, I know of several
> others that have discovered this bug independently, who I hope
> will respond to this advisory and give weight to my claim if
Yes, this bug (ptrace-bypass) is known for quite a while, we have discussed
this since ages, and a proof of concept exploit exists.
At least I have written my
own one which reads out /etc/passwd even if it is forbidden. It has
no meaning other than proving that the entry.S code is wrong.
I found the entry.S bug rather trivial and since nobody seemed
to use the Linux port of systrace anyway (and only this has been
tested by me) I put this "exploit" into my dusty box.
[...]
> There are protection bypass vulnerabilities in:
> LIDS
Indeed. With some minor modifications of the lids-hack.tgz
published years ago its still possible to exploit LIDS, but
I didnt got newer versions of LIDS working (crashes here and there,
and the admin tool produces wrong configs) so I was just pissed
about it and did no further research. I included a short example of
How to bypass LIDS in my DIMVA submission.
> There were also recently several scathing comments made by
> Russell Coker, an employee of RedHat. Some background info on
> Russell: he's from Australia, he's not used to IRC, he can't
> name any blackhats off-hand, and somehow he's a (self-titled?)
> security expert and wants everyone to use SELinux. I had made
> the claim in a channel that the Debian SELinux test box was
> owned by stealth due to a configuration error. It turned out
> that stealth had not owned the Debian SELinux test box, and
> Russell Coker certainly made everyone aware of this. What he
> of course failed to mention (and that he was knowledgeable
> of, as I was CC'd on the mails) was that stealth did own an
> SELinux test machine some time back in Australia due to a
> configuration error. My mistake was believing that there was
I was proving a SELinux box to have a wrong configuration
on the ph-neutral conference last year in Berlin. The machine
was a "hackme" box from Tom and everyone could give it a try at that time.
Since the config was broken it was not very difficult to install
trojans etc. I have discussed this with Tom, and there was no problem at all.
It was not in Australia though, but in Berlin, but thats rather unimportant
and I can understand spender if he confuses this a bit after all the
strange stuff going on. The SE box from Russel has pretty good
config and it looks like he knows what he's doing with SE. However,
if a hackme box doesnt get owned, it means nothing of corse.
I hope you will continue your great work on Grsecurity, Brad. Who
cares which hat you wear while doing so?
Stealth