Linux Kernel do_brk() Vulnerablility

Highly recommend to upgrade to v2.4.23 (I tested exploit code on my own server :cool: )

http://www.securiteam.com/unixfocus/6R0012095O.html

But i dont know which version kernel in my box !! how to know which version then ?

run from SSH:

uname -a

http://www.webhostingtalk.com/showthread.php?s=&threadid=212652


If they haven't upgraded yet they prolly never will :D

Or they are already owned :) The exploits are very readily available and I'm sure many people have script kiddie wannabe's as clients :)

I upgraded it weeks ago. On the 1st of December of so.

doesn't work on redhat 9 machines, i tested it on my own machine running 2.4.20-24.9 and another machine running 2.4.20-20.9smp and each of them compiled correctly, but do not execute due to a segmentation fault .

That's because 2.4.20.24.9 is the patched version that Redhat released.

And yes it does work on an unpatched RH9 server.. Happened to have to recover one that was with that very exploit.. The c source was interesting..

I'v read a lot of "how to" kernel update and really want to do it myself but it look danrgous and i ..scare :(

blackmoont, You can always try rpm version's of kernel. If you use redhat then you can use up2date to upgrade your kernel automatically..

Yes , i am using redhat 9 but are there anything risk if i use up2date ?

Yes , i am using redhat 9 but are there anything risk if i use up2date ?

Only if you compiled any modules against the kernel. It's more common in a desktop situation than a production server, but if you have any customizations to the kernel then you may have issues.

If you installed default redhat, and it worked, then your fine. If your on a hosted platform, hopefully your hosting company isn't stupid enough to put you on hardware that requires custom builds.

My server place at American Datacenter . I am using RedHat 9 and apache compliled with phpsuexec , cpanel . That's all . Anything dangrous if i run up2date ? Pls give me some comment and let me have enough brave to update kernel myself . :) .

argg, i have about 300 hosting account in my 2 server , so if i do something wrong , my neck will be cut off :D

Then hire a experienced admin to do it for you. I can't help manage your server from a forum, odds are something will go wrong.

Try contacting your hosting company ?

Thanks , i will try , ofcourse i can ask my hostting company support , but i want to try ( but also scare ) . :P

Does anyone know definitavely if this exploit is x86-specific, or if it affects other platforms? 2.4.x and 2.6.x have less than wonderful stability on the Sun4m/Sparc platform... and one of my mailservers is a Sparc, still running Debian/2.2.x. :(

Reading some of the articles makes is sound like an x86-only problem.

Great little updating link

Search through this thread and you will find some advice and how to update.

http://forums.ev1servers.net/showthread.php?s=&threadid=38402

Originally posted by Ankheg
Does anyone know definitavely if this exploit is x86-specific, or if it affects other platforms? 2.4.x and 2.6.x have less than wonderful stability on the Sun4m/Sparc platform... and one of my mailservers is a Sparc, still running Debian/2.2.x. :(

Reading some of the articles makes is sound like an x86-only problem.


The shell code in the exploit will be x86 specific, chances are though that the vulnerability does effect sparc but there is no shell code available for it. I'd not count on that to be your only saving grace.

What you have to remember is when an exploit is written the coder generally tries to target the largest common denominator so the code has the biggest impact.

Can't believe that weeks later, people are stll catching on. We built new kernels with grsec on the 1st or 2nd, just like sprintserve. You can't mess with those root exploits.

Originally posted by Lippy
Great little updating link

Search through this thread and you will find some advice and how to update.

http://forums.ev1servers.net/showth...;threadid=38402


NOTE:

It's a good tutorial to upgrade your kernel but also be sure to check your /lib/modules/ 2.4.20-24.9 (dir) 2.4.20-6 (dir)

If it's already in there, skip:

rpm -ivh kernel-2.4.20-24.9.i686.rpm

AND go to edit your /etc/lilo.conf with pico... follow the instruction from the tutorial and you should have no problems upgrading. If you have problems after rebooting for example Apache, bind failed, you can always work in WHM to get it updated.

Regarding up2date if you want to update, make sure you know what you are configuring or it wont work for example:

0. debug No
1. rhnuuid a9d4ed88-19f4-11d8-9d44-8a65e2f9d923
2. isatty Yes
3. showAvailablePacka No
4. depslist []
5. networkSetup Yes
6. retrieveOnly No
7. enableRollbacks No
8. pkgSkipList []
9. storageDir /var/spool/up2date
10. adminAddress ['root@localhost']
11. noBootLoader No
12. serverURL https://xmlrpc.rhn.redhat.com/XMLRPC
13. fileSkipList []
14. sslCACert /usr/share/rhn/RHNS-CA-CERT
15. noReplaceConfig Yes
16. noReboots None
17. useNoSSLForPackage No
18. systemIdPath /etc/sysconfig/rhn/systemid
19. enableProxyAuth No
20. retrieveSource No
21. versionOverride 34
22. headerFetchCount 10
23. networkRetries 5
24. enableProxy No
25. proxyPassword
26. noSSLServerURL http://xmlrpc.rhn.redhat.com/XMLRPC
27. keepAfterInstall No
28. proxyUser
29. removeSkipList []
30. useGPG Yes
31. gpgKeyRing /etc/sysconfig/rhn/up2date-keyring.gpg
32. httpProxy
33. headerCacheSize 40
34. forceInstall No
35. noReboot No


Enter number of item to edit <return to exit, q to quit without saving>:

Anyways, if you want to try it, there's a good tutorial at:

http://admin0.info/articles/security/step01.html

Basically in SSH just do the following:

1) up2date --register

2) up2date --configure

3) up2date -u


Search the web for up2date tutorials and you will find some good ones to help you especially the configuring side that is confusing to most people choosing this route.


Regards