Mitigating against recent GNU/Linux kernel bugs
Posted by Steve on Sat 15 Jul 2006 at 10:12
Recently the Debian project was compromised after a user account was escalated to root via a bug in GNU/Linux kernel. This bug doesn't affect the Sarge kernel(s), but it might affect you if you're running a different distribution. Here we'll cover a couple of hot-fixes.
The bug which was used abused the prctl system call. This essentially allows a local attacker to write core files to arbitary directories.
In the public attacks this has been used to create a corefile in directories such as /etc/cron.d which cron will intepret and accept. (Arguably a bug in cron...).
To prevent this attack you can make use of a couple of Kernel parameters which are designed to disable corefiles, or move them to a single fixed directory. As root run:
echo 0 >/proc/sys/kernel/core_uses_pid echo /dev/null >/proc/sys/kernel/core_pattern
(This change can be made persistent via the /etc/sysctl.conf file.)
Together this should prevent you from falling victim to this attack.
Unfortunately another bug which also allows a local user to gain root has surfaced rather publically. This new attack takes advantage of the /proc filesystem.
To prevent this new attack the following should be sufficient:
mount -o remount,noexec,nosuid /proc
Update your /etc/fstab to make the change persistent.