OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Local root through vulnerability in ping on linux.
From: Ralf-Philipp Weinmann (weinmannRBG.INFORMATIK.TU-DARMSTADT.DE)
Date: Sun Aug 20 2000 - 15:50:16 CDT

On Sun, 20 Aug 2000, Gerrie wrote:

[...]
> > > It's exploits a bug in the linux kernel by using ping, does someone have
> > > more info?
[...]
> We haven't reconstructed the situation -yet- and don't have any trace of the
> exploit.
>
> The only fact there is that they had root, and it was a 2.2.16 kernel.

Ok. that's something I can work with. I had a look at the sources the last
day and haven't been able to find anything yet. Gotta look closer I guess.

a) how did you establish that root was gained using ping ? timestamps ?
   logs of files being executed ? etc.
b) how can you be sure that it is a kernel bug and not a bug in say
   /lib/ld.so ? (a bug in ping itself is very unlikely due to the fact
   that it drops root pretty early).

> btw: didn't ADM have a zeroday ?

dunno, are you asking whether adm had a zeroday ping exploit ? possible.
how about asking an adm member ? i guess they wouldn't tell you. but maybe
they would. 

--
Ralf-P. Weinmann <rpwuni.de>
PGP fingerprint: 2048/46C772078ACB58DEF6EBF8030CBF1724