Possible security problem??

Richard B. Johnson (root@chaos.analogic.com)
Tue, 9 Feb 1999 09:12:59 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Malcolm Beattie: "sys_write can return -EFAULT instead of -EDQUOT"
Previous message: Chris Chiappa: "Re: proces blocking on nonblocking io in 2.2.x"

I observed that some network connection was running strace on the
inet daemon on one of my machines that is 'visible' on the internet.
I don't know how, there was apparent hack at anything. It's just
that some in-bound connection was able to execute strace and it
was executed as root:

Script started on Tue Feb 9 09:01:54 1999
# ps -laxw
warning: `-' deprecated; use `ps laxw', not `ps -laxw'
FLAGS UID PID PPID PRI NI SIZE RSS WCHAN STA TTY TIME COMMAND
[SNIPPED a lot]

0 0 138 1 0 0 812 0 read_chan SW 4 0:00 (agetty)
0 0 139 1 0 0 812 0 read_chan SW 5 0:00 (agetty)
0 0 140 1 0 0 812 0 read_chan SW 6 0:00 (agetty)
0 0 2948 1 0 0 812 0 read_chan SW 1 0:00 (agetty)
0 0 5409 1 0 0 1056 0 syscall_tra TW ? 0:00 (in.telnetd)
^^^^^^^^^^^^^

100 0 5931 5930 4 0 1168 676 wait4 S ? 0:00 -bash
0 0 5960 5931 4 0 820 320 read_chan S ? 0:00 script
40 0 5961 5960 5 0 824 356 read_chan S ? 0:00 script
0 0 5962 5961 9 0 1168 652 wait4 S ? 0:00 bash -i
100 0 5964 5962 10 0 900 440 R ? 0:00 ps -laxw
# cd /proc/5409
# ls
[00mcmdline[0m [01;36mcwd[0m [01;36mexe[0m [40;33mmaps[0m [01;36mroot[0m [00mstatm[0m
[00mcpu[0m [00menviron[0m [01;34mfd[0m [00mmem[0m [00mstat[0m [00mstatus[0m
# cat cmdline
# cat environ
# cat mem
cat: mem: No such process
# cat stat
5409 (in.telnetd) T 1 53 53 0 -1 0 20 0 138 0 1 0 0 0 0 0 0 0 46359898 1081344 0 2147483647 134217728 134247578 3221224896 3221223984 1074076112 0 0 0 0 3222321673 34 0 17
# cat statm
34 0 0 0 0 0 0
# cat status
Name: in.telnetd
State: T (stopped)
Pid: 5409
PPid: 1
Uid: 0 0 0 0
Gid: 0 0 0 0
VmSize: 1056 kB
VmLck: 0 kB
VmRSS: 0 kB
VmData: 248 kB
VmStk: 8 kB
VmExe: 0 kB
VmLib: 24 kB
SigPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000080000000
SigCgt: 0000000000000000
CapInh: 00000000fffffeff
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
# cd fd
# file *
0: broken symbolic link to socket:[7954]
1: broken symbolic link to socket:[7954]
2: broken symbolic link to socket:[7954]
3: symbolic link to /dev/ptyp0
# exit
exit

Script done on Tue Feb 9 09:03:39 1999

I have the sources for inetd and there is no strace hack there.

Cheers,
Dick Johnson
***** FILE SYSTEM WAS MODIFIED *****
Penguin : Linux version 2.2.1 on an i686 machine (400.59 BogoMips).
Warning : It's hard to remain at the trailing edge of technology.
Wisdom : It's not a Y2K problem. It's a Y2Day problem.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Malcolm Beattie: "sys_write can return -EFAULT instead of -EDQUOT"
Previous message: Chris Chiappa: "Re: proces blocking on nonblocking io in 2.2.x"