AKLUG Archive: RE: Another local exploit

From: Leif Sawyer <lsawyer@gci.com>
Date: Mon Jul 17 2006 - 09:51:15 AKDT

Top-post. heh.

That'd be:

# mount -o remount /proc

> -----Original Message-----
> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]
> On Behalf Of Oliver Savage
> Sent: Saturday, July 15, 2006 8:09 PM
> To: aklug@aklug.org
> Subject: Re: Another local exploit
>
> On 7/15/06, captgoodnight captgoodnight
> <captgoodnight@hotmail.com> wrote:
> >
> > http://www.securityfocus.com/bid/18992/info
> >
> > LOL, this one is really bad! Fun too. OMG.
> >
> > Anyone have ideas on a workaround?
> >
> > thanks,
> >
> > --eddie
>
> Following this thread
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/0
> 47907.html
> a suggestion was made to; "Mount /proc as nosuid."
>
> I haven't really mucked with SUID settings before, although
> the hour worth of reading I have done because of this seems
> worthwhile. Someone else on the list may have better
> instructions, and may better know the side effects of setting
> /proc to nosuid. You are warned that this advice comes from
> an SUID amatuer, please someone tell me if this is not a good
> idea, or if I am doing it wrong.
>
> If you have never edited /etc/fstab you may want to peruse
> man fstab man mount and read this webpage;
> http://www.tuxfiles.org/linuxhelp/fstab.html.
> You may also want to read 'man proc'.
>
> I edited the fstab line
> proc /proc proc defaults 0 0
> to read
> proc /proc proc defaults,nosuid
> 0 0
>
> Then I rebooted, although it is possible that a mount -a [-t
> type] [-O optlist] command would allow you to do this without
> rebooting.
>
> Further SUID and permissions information can be found at the
> following; http://www.linuxjournal.com/article/1190
> http://www.homepage.montana.edu/~unixuser/051602/SUID.html
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org> with
> 'unsubscribe' in the message body.
>
>

-- Binary/unsupported file stripped by Ecartis --
-- Type: application/x-pkcs7-signature
-- File: smime.p7s

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Jul 17 09:51:29 2006

This archive was generated by hypermail 2.1.8 : Mon Jul 17 2006 - 09:51:29 AKDT