<<< Date Index >>>     <<< Thread Index >>>

Re: systrace silently patches full local bypass vulnerability on Linux



On Sat, Mar 27, 2004 at 04:01:03PM -0500, spender@xxxxxxxxxxxxxx wrote:

Hi,

I am not aware of the things happening beforehand (e.g. the flamewar)
i think I have to comment some parts in this mail.

I wont take part of the flamewar systrace vs. gr or alike,
both parties have excellent programming skills and its sad enough
it always goes this way.

I have been IRCing and mailing with spender regarding
grsecurity and hardening patches for the Linux kernel for quite
a while (> 1 year) now, and we discussed a lot of possible
vulnerabilities in chroot implementations, systrace, LIDS and,
ofcorse, some older versions of grsecurity. I have been writing
a paper regarding such topics for the DIMVA conference.
So far for the background...

[...]
>       attempt to hide an exploitable vulnerability that has been 
>       known in the blackhat community ever since systrace was 
>       released for Linux (almost two years now), Marius and Niels will 
>       instead try to attack my character, misspell my name, claim 
>       that I found the bug by diffing, or anything else that will 
>       take the attention off of this bug.  In fact, I know of several
>       others that have discovered this bug independently, who I hope 
>       will respond to this advisory and give weight to my claim if 
Yes, this bug (ptrace-bypass) is known for quite a while, we have discussed
this since ages, and a proof of concept exploit exists.
At least I have written my
own one which reads out /etc/passwd even if it is forbidden. It has
no meaning other than proving that the entry.S code is wrong.
I found the entry.S bug rather trivial and since nobody seemed
to use the Linux port of systrace anyway (and only this has been
tested by me) I put this "exploit" into my dusty box.

[...]
>       There are protection bypass vulnerabilities in:
>       LIDS
Indeed. With some minor modifications of the lids-hack.tgz
published years ago its still possible to exploit LIDS, but
I didnt got newer versions of LIDS working (crashes here and there,
and the admin tool produces wrong configs) so I was just pissed
about it and did no further research. I included a short example of
How to bypass LIDS in my DIMVA submission.

>       There were also recently several scathing comments made by 
>       Russell Coker, an employee of RedHat.  Some background info on 
>       Russell: he's from Australia, he's not used to IRC, he can't 
>       name any blackhats off-hand, and somehow he's a (self-titled?) 
>       security expert and wants everyone to use SELinux.  I had made 
>       the claim in a channel that the Debian SELinux test box was 
>       owned by stealth due to a configuration error.  It turned out 
>       that stealth had not owned the Debian SELinux test box, and 
>       Russell Coker certainly made everyone aware of this.  What he 
>       of course failed to mention (and that he was knowledgeable 
>       of, as I was CC'd on the mails) was that stealth did own an 
>       SELinux test machine some time back in Australia due to a 
>       configuration error.  My mistake was believing that there was 
I was proving a SELinux box to have a wrong configuration
on the ph-neutral conference last year in Berlin. The machine
was a "hackme" box from Tom and everyone could give it a try at that time.
Since the config was broken it was not very difficult to install
trojans etc. I have discussed this with Tom, and there was no problem at all.
It was not in Australia though, but in Berlin, but thats rather unimportant
and I can understand spender if he confuses this a bit after all the
strange stuff going on. The SE box from Russel has pretty good
config and it looks like he knows what he's doing with SE. However,
if a hackme box doesnt get owned, it means nothing of corse.

I hope you will continue your great work on Grsecurity, Brad. Who
cares which hat you wear while doing so?

Stealth