[GLLUG] Debian Server hacked

Rich Walker rw at shadow.org.uk
Fri Jul 14 16:39:35 UTC 2006 

Bruce Richardson <itsbruce at uklinux.net> writes:

> On Fri, Jul 14, 2006 at 04:33:47PM +0100, Rich wrote:
>> Bruce Richardson <itsbruce at uklinux.net> writes:
>> 
>> > On Thu, Jul 13, 2006 at 09:54:19AM +0100, .myke wrote:
>> >> http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html
>> >> 
>> >> A Gluck server at Debian was discovered to be hacked yesterday.  They  
>> >> have taken it offline and are preparing to rebuilding.
>> >
>> > They should be using Stable for their infrastructure.  If they had been,
>> > this would not have happened.
>> 
>> It was a kernel vulnerability. This is the first reported usage of the
>> vulnerability. The relevant kernel version is in stable and testing.
>
> Eh? 2.6.8-2 is the latest official stable kernel.

Mind you, my brain may have turned to cheese :->

> Kernel vulnerability
> --------------------
> 
> The kernel vulnerability that has been used for this compromise is
> referenced as CVE-2006-2451.  It only exists in the Linux kernel
> 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24.
> The bug allows a local user to gain root privileges via the
> PR_SET_DUMPABLE argument of the prctl function and a program that
> causes a core dump file to be created in a directory for which the
> user does not have permissions.
> 
> The current stable release, Debian GNU/Linux 3.1 alias 'sarge',
> contains Linux 2.6.8 and is thus not affected by this problem.  The
> compromised server ran Linux 2.6.16.18.
> 
> If you run Linux 2.6.13 up to versions before 2.6.17.4, or Linux
> 2.6.16 up to versions before 2.6.16.24, please update your kernel
> immediately.

Only the admins know why those decisions were taken :->

cheers, Rich

(running a recent kernel on an otherwise-stable gateway machine)





-- 
rich walker         |  Shadow Robot Company | rw at shadow.org.uk
technical director     251 Liverpool Road   |
need a Hand?           London  N1 1LX       | +UK 20 7700 2487
www.shadowrobot.com/hand/overview.shtml
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list