[CentOS] local root exploit

Mon Feb 11 21:26:57 UTC 2008
Ross S. W. Walker <rwalker at medallion.com>

Dag Wieers wrote:
> 
> On Mon, 11 Feb 2008, Ross S. W. Walker wrote:
> 
> > Dag Wieers wrote:
> > > On Mon, 11 Feb 2008, jarmo wrote:
> > >
> > > > Ofcource there's a way, get vanilla kernel 2.6.24.2 and use
> > > old config
> > > > compile it and run. I've done it.
> > >
> > > And *poof* you lost all support or reproducability that
> > > people crave when
> > > using CentOS or RHEL.
> > >
> > > So yes, it is a possibility, but probably unlikely when
> > > people have chosen
> > > CentOS or RHEL. And especially for those systems that are 
> considered
> > > production (or important) and that are the most 
> vulnerable you may not
> > > want to do this. (Or maybe instead you need to !)
> >
> > Yes, true, but say you are running a shell account system 
> and want to
> > know it isn't vulnerable, can't wait until upstream provides a fix
> > and don't want to run some possibly flaky work-around patch, what
> > then?
> >
> > I think one needs to weigh the consequences in these 
> scenarios instead
> > of saying it should be all one way or the other.
> 
> Then I would opt to patch the latest Red Hat kernel with eg. 
> the Debian
> patch rather than running a 2.6.24.2 kernel that may have numerous
> yet-unknown compatibility problems with parts of the system 
> that interact
> with the kernel. And I would make an RPM out of it that 
> upgrades smoothly
> to the next CentOS release.

Problem with Debian patch is it may conflict with some of the RH
backports, but if it works why not submit it to CentOS team for
testing as I hear the RH current workaround has issues with GPFs.

If it works then maybe a "FastTrack" kernel could be put out
on CentOS?

Easiest way for me would be to adapt a FC8 kernel package to
C5 then try to play with a back-ported patch from a third-party
system into an already heavily patched kernel.

> But then again, this would be advice for a minority and not 
> something I
> would recommend to everyone on this list.

I personnally run my systems behind the firewall, but I suppose
anybody who has CentOS/RHEL 5 that is Internet facing would 
worry a little bit more.

I wonder if any existing user-land utilities have hooks into
vmsplice that may be able to be accessed via PHP, Perl, or CGI?

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.