[Triumf-linux-managers] linux kernel exploit (fwd)

Wed, 19 Jul 2006 16:32:48 -0700 (PDT)

A recent hack attack at CERN and elsewhere may be related to this;
these privilege-escalation exploits may be used by someone who has a
(possibly stolen) user-level account, and sometimes via network access to
an exploitable service which gives them e.g. httpd or mysqld user access.

Note that mounting volumes /nosuid is generally good practice for all
NFS, user+data disks, removable media (CDROM, USB) etc.
The only things that need /suid are system programs such as ping and
mount. In similar vein, data disks could be mounted /noexec (offers less
scope for hiding malicious programs)

---------- Forwarded message ----------
Date: Wed, 19 Jul 2006 12:52:18 +0200 (MEST)
From: Eduard Avetisyan <dich@mail.desy.de>
To: pcfarm@hermes.le.desy.de, offline-list@mail.desy.de
Subject: offline-list: pcfarm: linux kernel exploit

Hi,

To those who run a standalone (non DESY) linux with an up-to-date kernel
(2.6.x), that is, few desktops and ALL linux laptops:

there's a working exploit available on the net which allows a user
to become root without asking for password! In combination with other
buggy software (web-browsers, acroread etc) it may serve as a remote
vulnerability. Most linux distros haven't rolled a fix yet. Therefore,
before your system's hacked, run the following workaround:
mount -o remount,nosuid /proc
and also make the line with /proc look like this in the /etc/fstab:
proc                 /proc                proc       defaults,nosuid       0 0

should not affect the functionality of your system.

Cheers
	Eduard