SCIENTIFIC-LINUX-USERS Archives

August 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: kernel security
From:
Urs Beyerle <[log in to unmask]>
Reply To:
Urs Beyerle <[log in to unmask]>
Date:
Fri, 14 Aug 2009 13:28:21 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (51 lines) 
Try unload and remove the following kernel modules:

ipx.ko
irda.ko
x25.ko
ax25.ko
bluetooth.ko
sctp.ko
pppoe.ko
pppox.ko

Does this help?

    Urs

Stephan Wiesand wrote:
> On Fri, 2009-08-14 at 11:59 +0100, Dr Andrew C Aitchison wrote:
>   
>> On Fri, 14 Aug 2009, Urs Beyerle wrote:
>>     
>>> I guess SL is affected like most other Linux distributions.
>>>
>>> I'm not 100% sure, but setting vm.mmap_min_addr to a value above 0
>>> should prevent an exploit.
>>>
>>> # sysctl vm.mmap_min_addr=4096
>>>       
>> The default on my SL53 machines appears to be 65536
>> so there may be no need to do this.
>>
>> And Stephan Wiesand <[log in to unmask]> replied:
>>     
>>> I successfully rooted a 32bit SL5 system with SELinux enabled
>>> and vm.mmap_min_addr=64k with the public exploit :-(
>>>       
>> Did this machine have kernel-2.6.18-128.4.1.el5 and hence the 
>> fix for CVE-2009-1895 which allows a user to bypass mmap_min_addr - see
>>     
>
> Yes.
>
>   
>> https://rhn.redhat.com/errata/RHSA-2009-1193.html  ? 
>> Though I did see that there are other ways of bypassing
>> vm.mmap_min_addr :-(
>>     
>
> Yes, and they work fine :-/
>
>

ATOM RSS1 RSS2