1202601703 Q * jescheng Remote host closed the connection 1202601714 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202601717 M * fosco just give root access :| 1202601769 M * dowdle fosco: You compile your own kernel? Take the patch that fixes it and apply it... unless it conflicts with VS? 1202601778 M * fosco the problem is, the "sample" exploit works with the even the latest experimental patch on the latest kernel source (that is itself, theorically, immune) 1202601797 M * fosco and that is why I talk about it here 1202601832 M * TrueBrain I wonder why you think this project is dead :) This 'problem' is discovered just 2 days ago 1202601864 M * fosco because this is a real production problem, and also the fact that there is no release from 2.6.22 1202601896 M * fosco (and that this release is also affected by problem, even if it's not really vserver's fault on that :) 1202601942 M * dowdle fosco: So the fix doesn't fix it, eh? 1202601947 M * TrueBrain ah :) But this indeed is a nasty 'problem' :) 1202601961 J * friendly12345 ~friendly@ppp121-44-198-55.lns3.mel4.internode.on.net 1202601984 M * fosco dowdle: a naked 2.6.24.1 is theorically immune 1202602011 M * TrueBrain fosco: tried applying the vserver-patch over it? 1202602029 M * fosco I'm running it here, the exploit works 1202602045 M * TrueBrain also on a naked 2.6.24.1? :) 1202602068 M * TrueBrain anyway, I have no knowledge of this, so I am just yelling what ever pops in my mind :) I guess you need to talk to Bertl_zZ, when he wakes up ;) 1202602070 M * fosco compiling here, to verify the kernel changelog doesn't say crap :) 1202602203 M * dowdle fosco: So far as why their stable is 2.6.22... they have decided to skip (as I understand it) 2.6.23... I'm not sure about 2.6.24. 1202602485 M * dowdle fosco: I use a kernel based on the RHEL kernel which has a lot of additional access controls to memory... so I wonder if I'm vulnerable. Must test it out. 1202602566 M * fosco a friend of my used it even against a grsec kernel :( 1202602624 M * dowdle fosco: Doesn't work for me... because no /proc/kallsyms 1202602672 M * fosco tried the 27704.c or the 27704-2.c ? 1202602758 M * dowdle I tried the second one. 1202602763 M * dowdle Just tried the first one. 1202602793 M * dowdle After trying the first one the host node and the container aren't responding. Let it be known I'm not doing this on a VS system at the moment. 1202602846 M * fosco ok, just tried it against a plain 2.6.24.1 1202602852 M * fosco it does not work 1202602856 M * dowdle So, it has a bad effect... but no root access... for me anyway. 1202602862 M * Wonka hm. there's a vserver plugin for collectd... but it doesn't seem to collect anything, in the current debian package... 1202602868 M * dowdle fosco: Mine was against 2.6.18 1202602875 M * fosco so a patch in the last experiemtnal release revert the 2.6.24.1 upgrade 1202602889 M * fosco dowdle: ok, thanks for the info :) 1202602912 M * TrueBrain fosco: the patch to fix this exploit is _very_ small 1202602920 M * TrueBrain so you can check it yourself, and apply it manual :) 1202602934 M * fosco TrueBrain: yes, this is now the next step ;) 1202602994 M * TrueBrain useful exploit to keep around in case I forgot my root password again :p 1202603004 M * fosco haha :) 1202603008 M * TrueBrain even better, I can make it impossible to 'su' to root, just use this exploit instead :) 1202603028 M * Supaplex send in a patch to su ;) 1202603038 M * TrueBrain su --force ;) 1202603060 M * TrueBrain su --use-exploit-as-I-forgot-my-stupid-password-again 1202603061 M * TrueBrain ;) 1202603086 M * Supaplex su --just-trust-me 1202603128 M * TrueBrain the binary is 600kiB ;) 1202603167 M * TrueBrain compiling the exploit with -O3 makes it unworkable :p 1202603172 M * TrueBrain funny things :) 1202603294 M * dowdle fosco: I say make gcc read only by root until you have it fixed... although I know it won't stop people from uploading compiled versions. 1202603330 M * fosco I'm trying just a different patch order here :) 1202603347 M * fosco to apply 2.6.24.1 against a 2.6.24+vserver tree 1202603355 M * fosco hope it works 1202603669 M * Supaplex I forgot the workaround for this. I know it's etc/ssh/sshd_config... _X11TransSocketINETConnect() can't get address for localhost:6010: Name or service not known 1202603692 M * Supaplex for ssh -X into the guest. /home is reshared back to the host 1202603712 M * TrueBrain does 'localhost' look up to something? :p 1202603766 M * fosco ok, it doesn't work, the box is rootable :( 1202604256 M * fosco ok so, the officiel patch is effectively applied 1202604269 M * fosco and the vserver kernel (and only it) is still affected :( 1202604335 M * TrueBrain both ways btw? 1202604367 M * fosco both ways? 1202604406 M * TrueBrain both exploits 1202604413 M * fosco I only test the first one 1202605026 M * fosco [-] vmsplice: Bad address 1202605042 M * fosco ok, just "return0ed" that damned fonctions 1202605050 M * TrueBrain lol :) 1202605435 Q * Piet Quit: Piet 1202605480 Q * dna_ Quit: Verlassend 1202605841 J * esa` ~esa@ip-87-238-2-45.static.adsl.cheapnet.it 1202605841 Q * esa Ping timeout: 480 seconds 1202606341 Q * derjohn_mobil Ping timeout: 480 seconds 1202606342 J * dowdle_ ~dowdle@scott.coe.montana.edu 1202606382 M * Supaplex X11UseLocalhost no 1202606398 M * Supaplex there we go :) 1202606474 J * jsirucka ~jsirucka@220-245-131-131.static.tpgi.com.au 1202606483 N * jsirucka yaboo 1202606486 M * yaboo hello 1202606618 M * dowdle_ fosco: Just for more data points... I tried the kernel exploit on a RHEL4 kernel and it just plain didn't work... neither version. 1202606634 M * dowdle_ fosco: Didn't crash the kernel either. 1202606735 M * fosco ok 1202606739 M * fosco what version? 1202606847 M * yaboo trying to setup a vserver upon debian and need help on the syntax 1202606853 M * dowdle_ fosco: 2.6.9-whatever is the latest 1202606864 M * dowdle_ fosco: I also tried a stock RHEL 5 kernel... didn't hurt it either. 1202606865 M * fosco it only affects 2.6.17 - 2.6.24 1202606921 M * yaboo vserver test1 build -m debootstrap --hostname test1 --interface eth1:192.168.0.2/25 -- -d etch -m http://ftp.debian.org/debian/ -- --resolve-deps --arch i386 --rootdir /vservers 1202606923 M * dowdle_ fosco: Scratch that... I did get root on a stock RHEL5 kernel. 1202606939 M * yaboo what is wrong with my syntax please 1202606976 M * dowdle_ fosco: Cool... because most of the machines I was worried about are running 2.6.9 so they are fine. :) 1202607013 M * fosco ok, do you want to laugh 1202607016 M * dowdle_ fosco: But oddly enough, once I have root on a RHEL5 box, it won't let me run any commands. 1202607018 M * fosco I'm now pretty sure 1202607030 M * fosco * the official patch does not really correct anything 1202607060 M * fosco * the problem is not in the two patched fonctions, it just patch de symptoms 1202607062 M * fosco * there a race condition somewhere 1202607079 M * fosco I just re-rooted my plain 2.6.24.1 box by running the exploit un loop 1202607083 M * dowdle_ fosco: scratch that... root in a RHEL5 box will let me run commands I just had to get out the directory I was in where oddly enough, root didn't have any permissions. 1202607125 M * Supaplex yaboo: maybe the interface /25 part. try describing the symptoms 1202607130 M * dowdle_ fosco: I'll wait for vendor provided kernel RSN. All of the machines I have with users on them are ok. 1202607146 M * yaboo Supaplex, ok will do 1202607148 M * dowdle_ fosco: Except for general use lab machines... 1202607639 Q * dowdle_ Remote host closed the connection 1202609806 Q * yaboo Quit: Leaving 1202613773 Q * friendly12345 Ping timeout: 480 seconds 1202614056 Q * fridim Quit: Parti 1202616295 J * balbir ~balbir@122.167.213.22 1202616395 Q * jazzanova_ Read error: Operation timed out 1202616982 J * jazzanova ~boris@66.109.22.212 1202616983 M * jazzanova hi 1202616988 M * jazzanova how do I duplicate a vserver ? 1202617690 Q * jazzanova Quit: Leaving 1202618117 J * friendly12345 ~friendly@ppp121-44-198-55.lns3.mel4.internode.on.net 1202618199 J * doener ~doener@i577B8755.versanet.de 1202618396 Q * FireEgl Read error: Connection reset by peer 1202618611 Q * doener_ Ping timeout: 480 seconds 1202618934 J * Infinito ~argos@201-2-53-241.gnace701.dsl.brasiltelecom.net.br 1202621271 Q * mire Quit: Leaving 1202621412 Q * Infinito Ping timeout: 480 seconds 1202621419 J * infowolfe_ ~infowolfe@home.dsl.hardcore-linux.net 1202621421 N * infowolfe_ infowolfe 1202623202 Q * jescheng Remote host closed the connection 1202623217 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202623763 Q * dowdle Remote host closed the connection 1202624462 Q * balbir Ping timeout: 480 seconds 1202626416 J * larsivi_ ~larsivi@144.84-48-50.nextgentel.com 1202626520 J * kaner_ kaner@zzz.strace.org 1202626534 J * phedny_ ~mark@032-023-128-083.dynamic.caiway.nl 1202626562 Q * doener charon.oftc.net solenoid.oftc.net 1202626562 Q * ktwilight charon.oftc.net solenoid.oftc.net 1202626562 Q * phedny charon.oftc.net solenoid.oftc.net 1202626562 Q * larsivi charon.oftc.net solenoid.oftc.net 1202626562 Q * opuk charon.oftc.net solenoid.oftc.net 1202626562 Q * kaner charon.oftc.net solenoid.oftc.net 1202626562 Q * meebey charon.oftc.net solenoid.oftc.net 1202626566 J * ktwilight ~ktwilight@250.65-66-87.adsl-dyn.isp.belgacom.be 1202626568 J * doener ~doener@i577B8755.versanet.de 1202626572 J * opuk ~kupo@c213-100-138-228.swipnet.se 1202626657 J * meebey meebey@booster.qnetp.net 1202626668 Q * meebey Ping timeout: 480 seconds 1202626740 J * meebey meebey@booster.qnetp.net 1202629514 J * ktwilight_ ~ktwilight@228.215-66-87.adsl-static.isp.belgacom.be 1202629801 Q * ktwilight Ping timeout: 480 seconds 1202631659 N * DoberMann[ZZZzzz] DoberMann[PullA] 1202632519 J * derjohn_mobil ~aj@e180221080.adsl.alicedsl.de 1202635268 J * jsambrook ~jsambrook@aelfric.plus.com 1202635539 J * JonB ~NoSuchUse@77.75.167.106 1202635699 P * jsambrook Leaving. 1202635729 Q * JonB 1202636441 J * dna ~dna@225-219-dsl.kielnet.net 1202639095 M * TrueBrain fosco: I do hope you emailed your findings? :) 1202639923 J * ftx_ ~ftx@dslb-084-060-219-065.pools.arcor-ip.net 1202640841 M * waldi hmm, the fix is really complete ... 1202640926 M * waldi ?--------- ? ? ? ? ? /proc/1 1202640969 M * waldi not exactly what I wanted, but okay 1202641199 Q * bzed Remote host closed the connection 1202641607 J * Julius ~julius@p57B279C5.dip.t-dialin.net 1202643006 J * sheskar skrause@sirio.realpath.org 1202643279 J * bzed ~bzed@devel.recluse.de 1202643398 M * arachnist huh 1202645713 J * pisco ~pisco@tor.noreply.org 1202645847 P * friendly12345 1202645860 J * enkahel__ ~enkahel@ACaen-257-1-36-90.w90-17.abo.wanadoo.fr 1202646225 Q * enkahel_ Ping timeout: 480 seconds 1202646953 J * ftx__ ~ftx@dslb-084-060-245-176.pools.arcor-ip.net 1202647121 Q * Aiken Remote host closed the connection 1202647381 Q * ftx_ Ping timeout: 480 seconds 1202649314 Q * bzed Quit: leaving 1202649323 J * bzed ~bzed@devel.recluse.de 1202649353 J * Piet ~piet@tor.noreply.org 1202650077 Q * Piet Quit: Piet 1202650197 J * JonB ~NoSuchUse@77.75.164.169 1202650734 J * dna_ ~dna@225-219-dsl.kielnet.net 1202651093 Q * dna Read error: Operation timed out 1202652561 N * ftx__ ftx 1202652718 J * yarihm ~yarihm@54-61-239-77-pool.cable.fcom.ch 1202652749 J * _gh_ ~gerrit@c-67-169-199-103.hsd1.or.comcast.net 1202652760 Q * nox Ping timeout: 480 seconds 1202652883 M * pisco with and without prefix 1202652905 M * pisco ups, sorry, wrong channel 1202653713 Q * pisco Ping timeout: 480 seconds 1202654255 Q * JonB Quit: This computer has gone to sleep 1202656089 J * JonB ~NoSuchUse@77.75.164.169 1202656369 N * Bertl_zZ Bertl 1202656382 M * Bertl morning folks! 1202658060 J * chigital ~chigital@p5B0C6642.dip.t-dialin.net 1202660067 Q * chigital Remote host closed the connection 1202660326 J * pisco ~pisco@tor.noreply.org 1202660708 M * Bertl off for now .. bbl 1202660712 N * Bertl Bertl_oO 1202660925 Q * quasisane Remote host closed the connection 1202661429 A * weasel wonders what the status of vserver for 2.6.24 is 1202661490 A * arachnist wonders if 2.6.24 are still vulnerable to a local priv. escalation exploit 1202661549 M * waldi yes 1202661732 J * DLange ~dlange@p57A30BCE.dip0.t-ipconnect.de 1202661969 J * mark__ ~mark@hercules.sentiensystems.net 1202661977 N * mark__ Skram 1202662031 M * arachnist think it's time to move from a "root can do whatever he wants" setups to something like rsbac... 1202662159 J * dowdle ~dowdle@67-42-172-50.blng.qwest.net 1202662588 Q * pisco Ping timeout: 480 seconds 1202664699 J * pisco ~pisco@tor.noreply.org 1202665204 Q * JonB Quit: This computer has gone to sleep 1202665318 Q * pisco Ping timeout: 480 seconds 1202665358 N * DoberMann[PullA] DoberMann 1202665937 J * JonB ~NoSuchUse@77.75.164.169 1202666198 M * fosco arachnist: no official patch for now, but yu can apply this to 2.6.24.1, as far as I can tell, it stops the exploits: http://lkml.org/lkml/2008/2/10/81 1202666248 M * dowdle fosco: According to Red Hat's bugzilla report, there are three bugs and one of them isn't fixed upstream yet: https://bugzilla.redhat.com/show_bug.cgi?id=432251 1202666402 Q * jescheng Remote host closed the connection 1202666414 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202666859 M * fosco dowdle: a problem is, CVE-2008-0009/10 is _not_ fixed at all 1202666894 M * arachnist still, "root can do everything" concept is inheretly flawed 1202666902 M * fosco the officia patch, applied in 2.6.24.1 does not correct a weakness in vmsplice_to_pipe 1202667119 Q * JonB Quit: Leaving 1202668168 Q * arthur Ping timeout: 480 seconds 1202668557 J * phedny ~mark@010-022-128-083.dynamic.caiway.nl 1202668945 Q * phedny_ Ping timeout: 480 seconds 1202669050 J * ftx_ ~ftx@dslb-084-060-244-160.pools.arcor-ip.net 1202669050 Q * ftx Read error: Connection reset by peer 1202669503 J * chotchki ~chotchki@49-60.200-68.tampabay.res.rr.com 1202669705 M * chotchki hey guys, im trying to setup vserver on ubuntu feisty... however im unsure whether its built into the kernel now.... or do it need to patch a vanilla kernel? 1202669952 M * chotchki i think feisty uses a 2.6.22 kernel 1202673206 Q * derjohn_mobil Remote host closed the connection 1202673735 J * arthur ~arthur@ada.lri.fr 1202675168 J * nina29 ~nina29@ANantes-257-1-78-140.w90-25.abo.wanadoo.fr 1202675273 Q * nina29 1202675545 M * Supaplex ubuntu might have a prepatched and already compiled one. the ubuntu channel (and bot) will have more info (eg, ask the bot "search") 1202675567 M * chotchki Supaplex: thanks! 1202675808 J * Petar Petar@ca-098.ptt.yu 1202675819 M * Petar hello 1202675851 M * dowdle Petar: Greetings. 1202675865 M * Petar hello dowdle 1202675867 M * Petar whassup? 1202675890 Q * Petar 1202675970 Q * ftx_ Remote host closed the connection 1202676017 M * dowdle Some people's impatient children. 1202676045 M * Supaplex he dcc chated me 1202676070 M * Supaplex oh what fun /exec -o head /dev/urandom can be. 1202676435 M * Tuxbubling ~ N\U8zu,~">0d(Eq'u 1xQ3no#J'b]ͨ#s w)cIVFhemKiZʱ7>,R.!$7˙0:6 ?K5V}XtTb2|snzBԢ wHZiC'8) 1202676436 M * Tuxbubling $9.@;Pבܺ7=Rt[KH7QFc/@[p0|K*u7m3ӽPWW 1202676436 M * Tuxbubling kS\ˋ= ꑆ0MmIAAǚWW!.|g᫑Nokj6ݔ&?lQP1m>;4mw]VK 35[Zc 1202676436 M * Tuxbubling :UaZa 1202676438 M * Tuxbubling (tO90 1202676445 M * Tuxbubling now i know 1202676447 M * Tuxbubling sorry 1202676472 A * Tuxbubling tries to fit in the thightest hole possible.... 1202676491 M * Wonka no details, please 1202676511 M * Tuxbubling i should remeber to try those kind of things in pv 1202676514 M * Tuxbubling ^^ 1202676757 M * Supaplex lol 1202676867 J * stephan ~stephan@62.27.20.121 1202676876 M * stephan hiho 1202677540 J * Aiken ~james@ppp59-167-117-30.lns3.bne4.internode.on.net 1202677594 J * pisco ~pisco@tor.noreply.org 1202678378 J * JonB ~NoSuchUse@77.75.164.169 1202678568 N * Bertl_oO Bertl 1202678571 M * Bertl back now ... 1202678593 M * JonB thats good 1202678926 Q * yarihm Quit: Leaving 1202679543 Q * pisco Ping timeout: 480 seconds 1202679770 P * sheskar 1202679788 N * DoberMann DoberMann[ZZZzzz] 1202679984 Q * DLange Quit: Good night folks, see you tomorrow. 1202680821 Q * JonB Quit: This computer has gone to sleep 1202680836 M * Bertl nap attack ... off to bed now ... probably back a little later 1202680843 N * Bertl Bertl_zZ 1202680867 J * nox ~nox@static.88-198-17-175.clients.your-server.de 1202681298 Q * Julius Remote host closed the connection 1202681751 J * TheSeer ~theseer@e177150074.adsl.alicedsl.de 1202681755 M * TheSeer heya :) 1202681907 M * TheSeer daniel_hozac: *ping* 1202682273 Q * TheSeer Quit: Client exiting 1202683714 J * derjohn_mobil ~aj@e180221080.adsl.alicedsl.de 1202684577 M * maddoc http://it.slashdot.org/article.pl?sid=08/02/10/2011257 any patches for vserver-grsec coming soon? 1202684668 M * Guy- maddoc: as far as I can see, that exploit depends on /proc/kallsyms, which is unreadable inside a vserver 1202684702 M * Guy- maddoc: but fwiw, I tried it on a few computers, and it didn't even work outside a vserver on 2.6.22.9 1202684709 M * maddoc Nice. 1202684753 M * micah Guy-: works on 2.6.18 inside a guest 1202684766 M * Guy- micah: really? does the guest have /proc/kallsyms? 1202684780 M * Guy- micah: I couldn't find a single box it would work on... 1202684795 M * micah Guy-: no it doesn't... there are three different exploits btw 1202684810 M * maddoc Public? 1202684860 M * Guy- ah, I was playing with a different one 1202684868 M * ensc Guy-: it is only a weak dependency on /proc/kallsyms; address should be the same on all hosts with the same kernel and can be determined somewhere else 1202684879 M * Guy- not http://www.milw0rm.com/exploits/5092 but http://www.milw0rm.com/exploits/5093 1202684888 Q * dna_ Ping timeout: 480 seconds 1202684916 M * Guy- let's try 5092 then 1202685022 M * maddoc The latest vserver-patch is for 2.6.22 and diane lane is for 2.6.23-2.6.24? 1202685105 M * Guy- yes, I was looking at the wrong exploit 1202685106 J * friendly12345 ~friendly@ppp121-44-198-55.lns3.mel4.internode.on.net 1202685164 M * Guy- yes, essica_biel_naked_in_my_bed.c works inside a vserver allright 1202685184 M * maddoc :-/ 1202685191 M * Guy- bad news 1202685202 M * maddoc Sure is. 1202685207 M * Guy- of course, it's still only root inside the guest, but that's bad enough 1202685208 M * maddoc Let's hope for a patch really soon. 1202685225 M * Supaplex sooner than RSN :P 1202685252 M * maddoc RSN? 1202685266 M * Supaplex 'real soon now' aka never 1202685266 M * Guy- real soon now 1202685275 M * maddoc ah 1202685283 M * Supaplex i'ma update my website RSN (we've all said that) 1202685289 M * maddoc Hehe. 1202685567 Q * larsivi_ Quit: Konversation terminated! 1202685660 M * ensc Guy-: it's only a matter of the injected code whether you become root in guest or in host 1202685750 M * Supaplex and it only affects vserver kernels, right? 1202685762 M * Guy- Supaplex: no 1202685792 M * Guy- anyway, at least it doesn't work inside a 32bit vserver running on a 64bit host, but I guess it can be made to work 1202685811 M * Guy- ensc: are you sure? 1202685864 M * ensc Guy-: yes; the hole makes it possible to execute arbitrary code in kernel context. E.g. kernel_code() in http://www.milw0rm.com/exploits/5093 1202685913 M * ensc there, it overrides the *uid values of the current process, but it will be possible too, to override e.g. xid number 1202685962 M * ensc the exploits are demo code only; it is possible to adapt them for 32bit vservers on 64 bit hosts 1202685997 M * Guy- I was pretty sure of the latter 1202686028 M * Guy- it also doesn't work out of the box on plain 64bit, but I don't think that's an obstacle either