[plug] What was your first computer?

Sun Oct 21 01:56:31 WST 2001

On Sat, 20 Oct 2001, Christian wrote:

> On Fri, Oct 19, 2001 at 05:55:54PM +0800, Beau Kuiper wrote:
>
> > Don't autosync production servers :-)
> >
> > One thing you could try is building apache-php yourself?
> > or reverting back to the older version
> >
> > Sorry, I am trying to be sympathetic here, but I am finding it hard,
>
> I'll bet you are.
>

I really was trying to find something to say to be helpful, and I knew it
was a mistake once I posted it, so I appologize for being mean.

Anyway, to try and make up for my silliness, I have attached a couple of
kernel modules to patch running servers against the 2 local attacks
discovered servers a few days ago.

The first module (noptrace.c) was not written by me, but has been kicking
around the place. It disables the ptrace system call (it isn't needed for
servers in general) to prevent the ptrace local root hack

The second module (symfix.c) is one I wrote myself, to prevent the symlink
Denial of service attack, by preventing symbolic links like

../t/../t/../t

being created at all.

Both modules work on 2.2 and 2.4 kernels, and can be applied to running
kernels.

Beau Kuiper
kuiperba at cs.curtin.edu.au

-------------- next part --------------
// Module that fixes symlink creation so symlinks that could create
// DoS attacks cannot be created.
// Works with both Kernel 2.4 and Kernel 2.2
//
// Usage,
// Compile using
//	gcc -c symfix.c -o symfix.o -I/lib/modules/'uname -r'/build/include
//
// Use:
//
//	insmod ./symfix.o
//
// Removal
//
//	rmmod symfix
//
// Beau Kuiper Copyright (C) 2001

// Licensed under GPL 2.0

#define MODULE
#define __KERNEL__

#include <linux/mm.h>
#include <linux/module.h>
#include <linux/unistd.h>
#include <sys/syscall.h>
#include <sys/errno.h>
#include <linux/kernel.h>
#include <linux/fs.h>
#include <asm/uaccess.h>

#ifndef PATH_MAX
#define PATH_MAX PAGE_SIZE
#endif

extern void *sys_call_table[];

long (*orig_symlink)(char *, char *);

long new_symlink (char *oldname, char *newname)
{
	int pos;
	int len = strnlen_user(oldname, PATH_MAX);

	if (!oldname)
		return -EFAULT;

	if (len == 0)
		return -ENOENT;

	if (len >= PATH_MAX)
		return -ENAMETOOLONG;

	if (!access_ok(VERIFY_READ, oldname, len)) 
		return -EFAULT;

	// Check the oldname area
	// find the first char that is not . or / in oldname

	pos = 0;
	while ((pos < len) && ((oldname[pos] == '.') || (oldname[pos] == '/')))
		pos++;

	if (strstr(oldname + pos, "/./"))
		return -EINVAL;

	if (strstr(oldname + pos, "/../"))
		return -EINVAL;

	return orig_symlink(oldname, newname);
}

int init_module(void) 
{
	orig_symlink = sys_call_table[__NR_symlink];
	sys_call_table[__NR_symlink] = new_symlink;
	return 0;
}

void cleanup_module(void) 
{
	sys_call_table[__NR_symlink] = orig_symlink;
}
-------------- next part --------------
/* no ptrace module
   fast prevention for kenrel bug
   (c) 2001 a Lam3rZ odyssey
*/

#define MODULE
#define __KERNEL__

#include <linux/module.h>
#include <linux/unistd.h>
#include <sys/syscall.h>

#ifndef KERNEL_VERSION
#define KERNEL_VERSION(a,b,c) ((a)*65536+(b)*256+(c))
#endif

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0)
#include <asm/unistd.h>
#endif

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,14)
#include <bits/syscall.h>
#endif

extern void *sys_call_table[];

int (*orig_ptrace)(int, int, int, int);

int no_ptrace (int request, int pid, int addr, int data)
{return -1;}

int init_module(void) {

	orig_ptrace = sys_call_table[__NR_ptrace];
	sys_call_table[__NR_ptrace]=no_ptrace;
	return 0;
}

void cleanup_module(void) {

	sys_call_table[__NR_ptrace]=orig_ptrace;
}