Am 22.02.2013 um 21:11 schrieb Johnny Hughes johnny@centos.org:
On 02/22/2013 01:50 PM, Les Mikesell wrote:
On Thu, Feb 21, 2013 at 6:03 PM, Johnny Hughes johnny@centos.org wrote:
This issue is not CentOS specific ... here is another discussion:
http://www.webhostingtalk.com/showthread.php?t=1235797
The issue seems to be that someone with local access elevates their privileges in some manner, and after they upgrade their privileges they are then putting a new libkeyutils*.so file on the machine.
But don't forget that what the kernel people call 'local' access really means any bug in any network application that lets you execute an arbitrary command even if it is non-root - and those have historically been pretty common.
Sure .. if you can execute code as a user when you are not supposed to have any access ... then you can elevate privileges by stringing things together after you get the unauthorized access.
However, what people are seeing ... in practice today ... is that machines where there are multiple users and which are running control panel software SEEM to be most effected.
Does that mean that a single user machine will never be compromised ... of course not.
Obviously everyone who has any machines that in any way touch the Internet should be scanning/monitoring their machines for compromise on a routine basis. In my last post, I explained how to find out if you have this kit installed (look at the webhosttalk link from that post).
Remember that the library files that are being put on the machines are not installed via an RPM but copied on as files ... and that only kernel branches > 3.4.32 (in the LTS branch), > 3.7.7 and > 3.8rc6 have had the patches applied. That means IF (and that is a big if) this is the input vector, then all Linux machines (not just CentOS or RHEL) with kernels older than those are susceptible to this issue.
i use following script to scan top level directories for files that are not packaged:
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/root/bin BASE=$(echo "$1" |grep ^/) RPML=$(mktemp -t rpml.XXXXXXXXXX) || exit 1
if [ -z "$BASE" ] ; then echo "Usage: $0 /directory" exit 1 fi
if ! [ -d "$BASE" ] ; then echo "Usage: $0 /directory" exit 1 fi
echo "Searching in $BASE"
rpm -qla |sort > "$RPML"
for TARGET in $(find "$BASE" -type f |grep -v "/proc/"| sed s/\[/\\[/g ) do if ! grep -x "$TARGET" "$RPML" 1>/dev/null ; then echo "$TARGET" fi done
if [ -f "$RPML" ]; then rm "$RPML" fi
exit 0
-- LF