*nix server folks

Garp · 11-02-2008, 08:49

http://it.slashdot.org/article.pl?si...11257&from=rss

Just a heads up in case you haven't seen it. My boss has tested the exploit on a couple of boxes at work (ones that don't have customer logins) and confirmed it works and thus may present a problem. Guess we'll be figuring out which boxes are affected this morning and getting them patched or whatever.

edit: http://bugs.debian.org/cgi-bin/bugre...?bug=464953#14 possible workaround available there.

Jasper · 11-02-2008, 09:55

cheers! that's pretty scary.

Daz · 11-02-2008, 11:17

Don't see many of those!

Thanks for the heads up

Dr. Z · 11-02-2008, 11:25

I will test my boxes now

Cheers for the headsup

Mark · 11-02-2008, 12:57

Code:

mvg@icebox ~/exploit $ ./5092
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f16000 .. 0xb7f48000
[+] root
icebox exploit #

Just as well the only user I don't trust on my servers is me.

Garp · 11-02-2008, 19:03

Thankfully we've figured out that the main servers that customers can ssh onto aren't affected by this bug. One huge collective sigh of relief at that

Mark · 12-02-2008, 01:52

Looks like this can be used to good DoS effect as well. Either that or it's a coincidence my server paniced spectacularly several hours after testing the exploit.

Went writing to the RAID array too. Data seems to be intact (touch wood).

Dr. Z · 12-02-2008, 01:55

In the debian bug reports there have been a few people saying that the exploit or associated patches etc have been causing hard crashes. Perhaps you are a victim of that? Pure speculation though, could be a coincidence but then linux boxes dont really lock up all that often...

Mark · 12-02-2008, 02:06

The system itself didn't hard lock, but anything that tried to access parts of the affected filesystem did.

Anyway, the power button soon cured it. I'll remember to reboot afterwards if I decide to re-run that exploit code again.

Garp · 12-02-2008, 15:40

One of our sys-arch's warned his previous employers about the exploit. "Oh no, we've spoken with our technical guys and they assure us our server is safe".

2 minutes later he's FTP'd up a copy of the exploit, and triggered it.

Boom

11-02-2008, 11:17	#3
Daz The Stig Join Date: Jun 2006 Location: Swad! Posts: 10,713	Don't see many of those! Thanks for the heads up __________________ apt-get moo

11-02-2008, 11:25	#4
Dr. Z I'm going for a scuttle... Join Date: Jul 2006 Posts: 2,021	I will test my boxes now Cheers for the headsup __________________

11-02-2008, 19:03	#6
Garp Preparing more tumbleweed Join Date: Jun 2006 Location: Hawaii Posts: 6,038	Thankfully we've figured out that the main servers that customers can ssh onto aren't affected by this bug. One huge collective sigh of relief at that __________________ Mal: Define "interesting"? Wash: "Oh, God, oh, God, we're all gonna die"?

12-02-2008, 01:55	#8
Dr. Z I'm going for a scuttle... Join Date: Jul 2006 Posts: 2,021	In the debian bug reports there have been a few people saying that the exploit or associated patches etc have been causing hard crashes. Perhaps you are a victim of that? Pure speculation though, could be a coincidence but then linux boxes dont really lock up all that often... __________________

12-02-2008, 15:40	#10
Garp Preparing more tumbleweed Join Date: Jun 2006 Location: Hawaii Posts: 6,038	One of our sys-arch's warned his previous employers about the exploit. "Oh no, we've spoken with our technical guys and they assure us our server is safe". 2 minutes later he's FTP'd up a copy of the exploit, and triggered it. Boom __________________ Mal: Define "interesting"? Wash: "Oh, God, oh, God, we're all gonna die"?

11-02-2008, 08:49	#1
Garp Preparing more tumbleweed Join Date: Jun 2006 Location: Hawaii Posts: 6,038	nix server folks http://it.slashdot.org/article.pl?si...11257&from=rss Just a heads up in case you haven't seen it. My boss has tested the exploit on a couple of boxes at work (ones that don't have customer logins) and confirmed it works and thus may present a problem. Guess we'll be figuring out which boxes are affected this morning and getting them patched or whatever. edit: http://bugs.debian.org/cgi-bin/bugre...?bug=464953#14 possible workaround available there. __________________ Mal: Define "interesting"? Wash: "Oh, God, oh, God, we're all gonna die"? Last edited by Garp; 11-02-2008 at 08:54.*

11-02-2008, 09:55	#2
Jasper Simple & Red Join Date: Jul 2006 Posts: 535	cheers! that's pretty scary.

12-02-2008, 01:52	#7
Mark Screaming Orgasm Join Date: Jul 2006 Location: Newbury Posts: 15,194	Looks like this can be used to good DoS effect as well. Either that or it's a coincidence my server paniced spectacularly several hours after testing the exploit. Went writing to the RAID array too. Data seems to be intact (touch wood).

12-02-2008, 02:06	#9
Mark Screaming Orgasm Join Date: Jul 2006 Location: Newbury Posts: 15,194	The system itself didn't hard lock, but anything that tried to access parts of the affected filesystem did. Anyway, the power button soon cured it. I'll remember to reboot afterwards if I decide to re-run that exploit code again.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode