Portal Home > Knowledgebase > Articles Database > New security exploit -- allows local user to gain root
New security exploit -- allows local user to gain root
| Posted by iseletsk, 10-19-2010, 09:06 AM |
| There is a new security exploit that allows local user to gain root access to the server. My guess is pretty much all hosting companies doing linux hosting are affected
There is no update yet available from any vendor, but as a work around, you can do following:
# mount -o bind /tmp /tmp
# mount -o remount,bind,nosuid /tmp /tmp
# mount -o bind /home /home
# mount -o remount,bind,nosuid /home /home
Make sure you bind and remount as nosuid all directories (parent level only) where local users can create files. If your users' home directories are at /var/www, do that for /var/www directory
# mount -o bind /var/www /var/www
# mount -o remount,bind,nosuid /var/www /var/www
Full Disclosure was published here yesterday:
More info: http://seclists.org/fulldisclosure/2010/Oct/257
CVE-2010-3847
Last edited by iseletsk; 10-19-2010 at 09:14 AM.
|
| Posted by Patrick, 10-19-2010, 10:36 AM |
| Yeah, saw that when it was posted... interesting though:
"Please note, this is a low impact vulnerability that is only of interest to security professionals and system administrators. End users do not need to be concerned."
.
.
Last edited by Patrick; 10-19-2010 at 10:50 AM.
|
| Posted by iseletsk, 10-19-2010, 10:40 AM |
| This might be low impact if you are running in enterprise environment, with lock down system, where no external user can run any scripts
If you are a webhost, where customer can deploy their own CGI -- you are one step away from being exploited.
This is same level "local privileges escalation" type of exploit that bunch of hosts were recently hit with - when x86_64 kernel was affected.
|
| Posted by Eleven2 Hosting, 10-19-2010, 10:42 AM |
| That is exactly why it took so long for RedHat to put out the patch for the 64bit vulnerability a month or so ago.
The CentOS developers were telling me at the cPanel conference that since the issue was only for privilege users, it was not a concern for RedHat since corporate world is not handing out untrusted logins to people.
|
| Posted by Patrick, 10-19-2010, 10:45 AM |
| Have you tested the exploit?
.
.
|
| Posted by Patrick, 10-19-2010, 10:48 AM |
| Oops. I had ping set to non-suid... holy hell, that does work!
|
| Posted by iseletsk, 10-19-2010, 10:49 AM |
| Yes, just follow step by step from full disclosure gives you root on plain vanila CentOS.
For some reason same instructions are not affecting CloudLinux. It should be affected the same way, so it is either something in our configuration, or slight variation of those instructions should be affecting it. As soon as we can validate the hack on unpatched CL, we plan to release patched one (we just need to be able verify that we closed the issue).
|
| Posted by iseletsk, 10-19-2010, 10:51 AM |
| Just in case: it looks like grsecurity TPE stops it as well.
|
| Posted by iseletsk, 10-19-2010, 11:00 AM |
| One more directory needs to be binded/re-mounted (thanks to ksplice guys for pointing it out):
# mount -o bind /var/tmp /var/tmp
# mount -o remount,bind,nosuid /var/tmp /var/tmp
|
| Posted by Steven, 10-19-2010, 11:08 AM |
| Keep in mind - this is not limited to /tmp.
Stock cpanel installs already have the /tmp restrictions btw.
/dev/sda2 on /tmp type ext3 (rw,noexec,nosuid)
/tmp on /var/tmp type none (rw,noexec,nosuid,bind)
|
| Posted by M Bacon, 10-19-2010, 11:08 AM |
| Will this work for VPS? Just wondering.
|
| Posted by iseletsk, 10-19-2010, 11:12 AM |
| It looks like CloudLinux is not vulnerable (even though same vulnerability exists in glibc on CL). We are still trying to figure out why, but it is related either to grsecurity patch (even when grsec tpe is disalbled), or some other hardening that our upstream kernel (openvz) did.
|
| Posted by iseletsk, 10-19-2010, 11:14 AM |
| Will you be able to go outside of VPS to host itself -- no.
Otherwise, depends on VPS.
Hypervizors like xen/vmware, etc... -- Yes, they will be affected.
OpenVZ/Virtuozzo -- high chance that they are not vulnerable.
|
| Posted by Steven, 10-19-2010, 11:49 AM |
| http://sourceware.org/ml/libc-hacker.../msg00007.html
Going to build me some rpms right now.
|
| Posted by SPaReK, 10-19-2010, 11:52 AM |
| Does the setuid binary you link from have to exist in the same partition you are linking to?
If /bin and /tmp are separate partitions, will this still work?
|
| Posted by DigitalLinx, 10-19-2010, 11:53 AM |
| This is a userland vulnerability, hypervisor/kernel version make little to no difference, if you're running glibc, you're vulnerable.
Ubuntu/Debian should be immune to this issue as IIRC they do not use glibc.
Mounting /tmp and /home as noexec/nosuid partition is not a patch, despite being a good idea to do it anyway.
|
| Posted by DigitalLinx, 10-19-2010, 11:54 AM |
| Yes it does have to be in the same partition since it has to be a hardlink not a symlink.
|
| Posted by fwaggle, 10-19-2010, 11:54 AM |
| Part of me feels like any filesystem that unprivileged users can create files in (including /home and perhaps mail spools too) should be nosuid by default. I can't really think of a good reason on the spot to ever warrant allowing that behavior.
As people on particular mailing lists have said, the environment should almost certainly be trashed and completely sanitized (except for a whitelist of things the process would be interested in) on suid/sgid binaries.
It's a pretty cool find though, the disaster it creates aside.
|
| Posted by SPaReK, 10-19-2010, 11:57 AM |
| If you assume for a moment that under-privileged users can only write to /home and /tmp, and if /home and /tmp are separate partitions and if there are no setuid binaries in /home and /tmp, then what is the overall impact?
|
| Posted by DigitalLinx, 10-19-2010, 12:00 PM |
| Some daemon/applications create world writable directories to not so common places, directory walking with /bin/find can reveal those in matter of minutes.
|
| Posted by DigitalLinx, 10-19-2010, 12:14 PM |
| Also note that this is a logic screwup which makes this vulnerability 100% reliable.
|
| Posted by JonnyQuags, 10-19-2010, 12:36 PM |
| This patch did not work for me. An error came up on the exploit that was not there before, but still got root access.
|
| Posted by Steven, 10-19-2010, 12:47 PM |
| Yep - I am too investigating that.
[test@just ~]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
|
| Posted by JonnyQuags, 10-19-2010, 12:48 PM |
| Ya, exact same thing.
|
| Posted by Markovic, 10-19-2010, 12:51 PM |
| it doesnt work under VPS(OpenVZ) - CentOS 5
|
| Posted by Steven, 10-19-2010, 12:52 PM |
| In the bugzilla report there is also: https://bugzilla.redhat.com/attachment.cgi?id=454089
Fedora 14 has patches in a test kernel. I am downloading the srpm to see what they have.
|
| Posted by Steven, 10-19-2010, 12:53 PM |
| Likely the same reason it doesnt work with cloudlinux.
|
| Posted by Markovic, 10-19-2010, 12:59 PM |
| Well, got the same error as you said above under OpenVZ. Still investigating though.
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
|
| Posted by iseletsk, 10-19-2010, 01:03 PM |
| While original exploit doesn't work with CL/VZ kernels. Yet, I believe that modified exploit will work against CloudLinux and OpenVZ.
Last edited by iseletsk; 10-19-2010 at 01:08 PM.
|
| Posted by DigitalLinx, 10-19-2010, 01:09 PM |
| It does work under ovz with slight modifications to win a race condition.
|
| Posted by Markovic, 10-19-2010, 01:18 PM |
| As a temp solution is it possible to chmod all suid files to 111? nobody else except root is supposed to use them anyway so I guess it's safe enough.
P.S What does chattr +I mean? I heard that could help too but Im not sure what does +I mean.
|
| Posted by JonnyQuags, 10-19-2010, 01:32 PM |
| If a file is immutable (chattr +i /bin/ping for example) then you can not create a hardlink to it.
|
| Posted by M Bacon, 10-19-2010, 01:49 PM |
| Ok. Thanks for the information.
|
| Posted by KnownSRV, 10-19-2010, 01:52 PM |
| Hey,
It is vulnerable. Take a look at the output pasted by DigitalLinx above.
|
| Posted by iseletsk, 10-19-2010, 01:58 PM |
| Updated glibc that fixes the issue is available for CloudLinux. To upgrade, type:
# yum clean metadata
# yum update glibc
New glibc version: 2.5-49.el5_5.5.cloudlinux
|
| Posted by Mat Sumpter, 10-19-2010, 01:59 PM |
| https://bugzilla.redhat.com/show_bug.cgi?id=643951
Nice to have.. Way to handle a serious root exploit Red Hat...
|
| Posted by Markovic, 10-19-2010, 02:56 PM |
| anyone came up with and released openvz exploit yet?
|
| Posted by Matt R, 10-19-2010, 03:05 PM |
| In testing, it only seems to work with a standard shell and not jailshell.
Just to verify, this is the case -- correct?
|
| Posted by Matt R, 10-19-2010, 03:24 PM |
| In testing it on CentOS 5.4 x86_64 systems, I can't get it to exploit with cPanel installed and the server properly secured.
I was able to get it to run on a server with no /tmp, /var/tmp, or /home restrictions in place only if I had actual bash access and not jailshell.
|
| Posted by iseletsk, 10-19-2010, 04:23 PM |
| This should be trivial to implement via cgi (or cronjob), so no -- jailshell will not help
|
| Posted by MaB, 10-19-2010, 04:26 PM |
| Do the two attached patches at https://bugzilla.redhat.com/show_bug.cgi?id=643306 solve the problem?
|
| Posted by iseletsk, 10-19-2010, 04:28 PM |
| Only one of them based on our tests/understanding.
http://sourceware.org/ml/libc-hacker.../msg00007.html
|
| Posted by MaB, 10-19-2010, 04:31 PM |
| Both Steve and JonnyQuags are suggesting that this patch didn't work ?
|
| Posted by iseletsk, 10-19-2010, 04:37 PM |
| We used same patch, or something very similar based on what went into Fedora 14. In our tests it prevented from rooting on CentOS and CloudLinux kernels.
Just in case -- I don't want to sound to arrogant here, all I am trying to say is that we were unable to replicate the hack after we patched glibc.
If someone knows how to still hack it, even with our updated glibc -- please, provide me with information. I will appreciate it.
|
| Posted by wdaher, 10-19-2010, 04:49 PM |
| Our internal testing with the linked-to patch produced the same results as Igor.
Steven, JonnyQuags: it looks like your attempt actually runs 'ping' instead of giving you a root shell, which seems pretty innocuous to me. Can you give us a bit more detail?
|
| Posted by Steven, 10-19-2010, 04:55 PM |
| I figured it out - I was in a hurry earlier when I initially tested it.
The patch works.
|
| Posted by JonnyQuags, 10-19-2010, 05:03 PM |
| I can confirm it works as well (the original patch). On my test server I was su'ing into a username to test the exploit and did not realize the process got killed after the patch (dropping me back into root).
|
| Posted by Steven, 10-19-2010, 07:26 PM |
| Here some rpms if anyone is interested: http://layer1.rack911.com/CVE-2010-3847/
|
| Posted by bloodyman, 10-20-2010, 05:30 AM |
| Is it safe to run :
# mount -o bind /home /home
# mount -o remount,bind,nosuid /home /home
on working cPanel Server (with working webhosting accounts)? Or it will break something or break cPanel?
|
| Posted by bloodyman, 10-20-2010, 08:01 AM |
| And another question - will it only affect webhosts who has /home, /tmp, / mounted on 1 partition? When I try to make ln link I get information
ln: creating hard link `/tmp/exploit/target' to `/bin/ping': Invalid cross-device link
|
| Posted by DigitalLinx, 10-20-2010, 09:39 AM |
| An attacker is not limited to those locations/setuid bin, if you have a writable dir in the same partition as /bin, /sbin/, /usr/bin, /usr/sbin then you can still be exploited.
It's best to not assume and just patch glibc.
|
| Posted by bloodyman, 10-20-2010, 10:06 AM |
| If I think correctly - users in standard Linux installation can only write in /tmp and their home directory, am I right?
If /var , /home and /tmp /dev/shm are separated from / - there is no problem?
|
| Posted by Steven, 10-20-2010, 10:36 AM |
| They can write to any directory that is 777.
I really don't understand why people come up with theories on why they may be safe from an exploit. When there is any doubt, just patch the actual exploit.
|
| Posted by Steven, 10-20-2010, 11:01 AM |
| Here is a yum repo:
Couple hundred boxes running these right now.
|
| Posted by bloodyman, 10-20-2010, 11:57 AM |
| I just want to calm down situation - I checked cpanel box, with partitions /home/, /tmp, /var/ mounted as different devices, and I did not find any directories with 777 permisions.
find /* -type d -perm 777
No directory with 777 permistion outside /home directory was found.
Steven, don't get me wrong, but not all people have enough knowledge to upgrade their boxes I think, so we should calm down situation rather than panic another time during this month.
|
| Posted by Steven, 10-20-2010, 12:44 PM |
| Any 777 directory in any partition can be used to do this.
There was a time where /usr/local/apache/proxy was a directory on cpanel servers and it was 777 for example. It was a common exploit hiding place for hackers.
There are some 3rd party cpanel addons that place 777 directories in /usr.
A responsible server administrator will correctly patch any critical root exploit, if a patch exists. All of our customers were patched yesterday. The same goes for the last kernel exploit - we patched the redhat enterprise 4 servers, because redhat classified it as low priority.
I woke up this morning to a few sales queries regarding compromised servers (which used the instructions in post #1).
Also note, instructions in post #1 will break jailshell on cpanel. Once a official patch is released from redhat, you will have to unmount the /home partition - or reboot in order to get it working again.
Last edited by Steven; 10-20-2010 at 12:51 PM.
|
| Posted by bloodyman, 10-20-2010, 12:50 PM |
| Ok, but I can not make hard link from one partition to another.
So even if I have 777 directory in /home and or /var and it is mounted as different device , this exploit will not work because if I try to make hard link I get cross-device error.
Or maybe I'm missing something?
Yep - /usr/local/apache/proxy was some time ago security impact on cPanel boxes, but right now it should not be a problem.
|
| Posted by Steven, 10-20-2010, 12:54 PM |
| I'm just saying, stop relying on the assumption you will be ok, or at least please stop spreading that you will be perfectly fine if you have separate partitions. If there is a 777 directory that is still in /, then you still may have an issue. Your own server may be fine, but there are a lot of servers out there that will not be okay. Some people just start chmod 777 directories when things don't work without thinking of the repercussions.
It is fairly common for source in /usr/src to be 777, which can be easily overlooked.. There is plenty of suid binaries in /usr/bin that could be used.
Also I find at least 2 servers a month that have /usr/local/apache/proxy still.
Last edited by Steven; 10-20-2010 at 01:04 PM.
|
| Posted by fwaggle, 10-20-2010, 01:34 PM |
| I think the assumption is that you need a writable directory (note it needn't be world writable, just writable by an account the attacker can control) on the same partition as a suid-root binary, so that a hard link can be made.
I still agree with you in principle though - patching glibc is trivial compared to auditing your entire filesystem looking for exploit possibilities, making sure no daemons can be coaxed to drop arbitrary files in weird places, or can be leveraged to gain temporary write permissions, etc.
The old adage is that to keep a system secure, you have to find and plug every possibility, for an attack to succeed you only need to forget one.
Oh man, don't even get me started on that practice.
|
| Posted by Steven, 10-20-2010, 05:54 PM |
| Ksplice has a fix now aswell:
https://www.ksplice.com/cve-2010-3847
|
| Posted by wdaher, 10-20-2010, 06:09 PM |
| Steven, I'm amused that you're quicker on this than even I was (I was literally mid-post)
To be clear about what that URL points to: there's no magic rebootless kernel technology here (this isn't a kernel update, and it isn't part of the Ksplice Uptrack service). But folks have been asking us about this, so we've compiled a libc with the patch applied, for 32- and 64-bit systems, which we're providing as a courtesy to our customers. You're of course welcome to use them if you'd like.
(Steven also has some RPMs he's built, linked to earlier on this thread -- I haven't looked but I bet they're the same and only differ by their compile times, since I assume we both applied the same upstream patch.)
|
| Posted by Steven, 10-20-2010, 06:24 PM |
| I posted it 2 minutes after I got the email
My rpms are basically the same - used the upstream patch.
I do want to mention - I recommend installing the 386 rpms on x86_64 since they are installed on it usually - unsure if there is a possible exploit vector so I'm playing safe.
Last edited by Steven; 10-20-2010 at 06:31 PM.
|
| Posted by skywin, 10-20-2010, 06:43 PM |
| we are updated all servers with ksplice, at the moment all right.
|
| Posted by skywin, 10-20-2010, 06:49 PM |
| steven, but Ksplice update then there is not 100% secure?
|
| Posted by QuickWeb-Roel, 10-20-2010, 06:50 PM |
| Ksplice rocks, we are very a happy customer of them
|
| Posted by Steven, 10-20-2010, 06:54 PM |
| They don't upgrade the 32bit rpms that may be installed on your 64bit machine with their script.
x86_64)
rpms="$rpms \
glibc-2.5-49.0.0.cve_2010_3847.x86_64.rpm \
glibc-common-2.5-49.0.0.cve_2010_3847.x86_64.rpm \
glibc-debuginfo-2.5-49.0.0.cve_2010_3847.x86_64.rpm \
glibc-debuginfo-common-2.5-49.0.0.cve_2010_3847.i386.rpm \
glibc-devel-2.5-49.0.0.cve_2010_3847.x86_64.rpm \
glibc-headers-2.5-49.0.0.cve_2010_3847.x86_64.rpm \
glibc-utils-2.5-49.0.0.cve_2010_3847.x86_64.rpm \
nscd-2.5-49.0.0.cve_2010_3847.x86_64.rpm \
"
is it exploitable? I don't know - I haven't investigated. Do I upgrade them as well on my customers ? yes.
|
| Posted by TimAbbott, 10-20-2010, 06:59 PM |
| The installer script for the Ksplice RPMs automatically update the glibc RPMs on the system for each of the glibc packages you have installed (e.g. if you have i686 and x86_64, it'll update both of those, but if you just have x86_64, it'll update just that).
So using our script should leave you 100% secure against this issue.
|
| Posted by skywin, 10-20-2010, 07:02 PM |
| Thank you very much Steven and Tim, then there is no problem.
|
| Posted by TimAbbott, 10-20-2010, 07:02 PM |
| Steven is right that one should upgrade all the glibc packages installed on the system, not just one architecture.
If you read carefully, you'll see that the code from the Ksplice installer script is inside a loop over all the glibc packages installed on the system that is growing a list of packages to upgrade, in order to do exactly that.
|
| Posted by Steven, 10-20-2010, 07:03 PM |
| Yep I looked at it again. Sorry! I'm bombed today.
|
| Posted by Steven, 10-20-2010, 07:29 PM |
| https://rhn.redhat.com/errata/RHSA-2010-0787.html
|
| Posted by FastServ, 10-20-2010, 08:25 PM |
| Wow, quick response from RedHat (for once?)
|
| Posted by Steven, 10-20-2010, 08:40 PM |
| I was not expecting it!
|
| Posted by ZenMonk, 10-21-2010, 07:17 AM |
| yep
https://admin.fedoraproject.org/upda...ibc-2.12.90-17
|
| Posted by Techbrace, 10-21-2010, 11:23 AM |
| CentOS also published the patched update.
http://lists.centos.org/pipermail/ce...er/017100.html
|
| Posted by OLM | DavidG, 10-21-2010, 11:42 AM |
| We have some customers using older operating system distributions on our network, and have been investigating specifics of which distributions are affected, so that we can back-port the fix and provide updated RPMs for them (Re-installing with a modern operating system is clearly the proper solution, but some clients prefer not to).
During our investigation, we noticed that the exploit does not seem to work on Fedora Core 4 or Fedora Core 5. The exploit fails with an error that includes the string "DST not allowed in SUID/SGID programs". The exploit *does* work against Fedora Core 6.
Comparison of the source code RPMs from FC4, FC5, and FC6 is interesting. FC4 and FC5 have the following code within "elf/dl-open.c", in the "dl_open_worker" function:
/* DSTs must not appear in SUID/SGID programs. */
if (INTUSE(__libc_enable_secure))
/* This is an error. */
_dl_signal_error (0, "dlopen", NULL,
N_("DST not allowed in SUID/SGID programs"));
This code is not found in the FC6 version, which is clearly exploitable.
On a side note, LD_AUDIT support is required for glibc to be exploitable. Information online seems to indicate that this was added in glibc 2.4. FC4 has glibc "2.3.6-3". However, it does seem to be included in that version, at least according to the output of "strings /lib/ld*.so |grep LD_AUDIT". Perhaps Fedora back-ported the feature into an older version.
Does anyone else care to review the source RPMs between FC4, FC5, and FC6 and comment on the differences and exploit-ability? They are old distributions and probably not worth while for most people, but it is interesting to track the history of this vulnerability.
|
| Posted by SPaReK, 10-21-2010, 01:21 PM |
| I just wanted to check. CentOS 4 is not affected by this vulnerability is it?
I am not able to get the exploit to work on any of my CentOS 4 boxes and I see that the CentOS update is only for CentOS 5. But thought I would double check just to be sure.
|
| Posted by Steven, 10-21-2010, 01:25 PM |
| This probably will help you out:
https://bugzilla.redhat.com/show_bug...=CVE-2010-3847
I have however not worked on a fedora server in at least 2 years so I cannot comment on the fedora 6 exploit.
|
| Posted by OLM | DavidG, 10-22-2010, 02:41 PM |
| Tavis posted another glibc exploit today. See http://seclists.org/fulldisclosure/2010/Oct/344
I confirmed that CentOS 5 (with latest glibc package) and FC6 are vulnerable via "liblftp-tasks.so.0", but umask value was not inherited, so the created directory was owned by root, and not writable by any other users. Based on his Ubuntu example, it looks like the umask value would be inherited by the child process, resulting in the created directory being writable by any user. Still looking into it...
|
| Posted by iseletsk, 10-22-2010, 06:47 PM |
| Updated glibc for CloudLinux is ready. To update, run:
# yum clean metadata
# yum update glibc
|
| Posted by IQ-Hosting, 10-22-2010, 10:34 PM |
| Yes I Try that exploit already It worked
|
| Posted by Markovic, 10-23-2010, 04:51 AM |
| My CentOS VPS doesnt have libpcprofile.so or liblftp-tasks.so.0 so I guess its not vuln is it right? What else can be used instead of that, if anythin?
|
| Posted by iseletsk, 10-23-2010, 08:27 AM |
| The disclosure explains how to find libraries that can be attacked. So, basically -- no, just because those two libraries are not present -- doesn't mean you are unaffected.
|
| Posted by Markovic, 10-23-2010, 08:58 AM |
| Yes, and I was following it. It doesn't explain how to get a source code from .so file which. I don't get how he was able to see this:
40 Bookmark::Bookmark()
41 {
42 const char *home = get_lftp_home();
...
47 }
and
785 const char *get_lftp_home()
786 {
...
792 home = getenv("LFTP_HOME");
...
811 mkdir(home, 0755);
812 return home;
813 }
From /usr/lib/liblftp-tasks.so.0. Besides mentioned commands I tried using file, strings and nm commands but no luck
|
| Posted by iseletsk, 10-23-2010, 05:34 PM |
| debugger (gdb) + source source for the software I guess.
|
| Posted by KnownSRV, 10-24-2010, 12:54 PM |
| For those who don't have libpcprofile.so or liblftp-tasks.so.0, it can be exploited via libmemusage.so as well.
[pwn@server lib]$ strings libmemusage.so | grep OUTPUT
MEMUSAGE_OUTPUT
[pwn@server etc]$ umask 0
[pwn@server etc]$ LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT=/tmp/exploit ping
Memory usage summary: heap total: 0, heap peak: 0, stack peak: 0
total calls total memory failed calls
malloc| 0 0 0
realloc| 0 0 0 (nomove:0, dec:0, free:0)
calloc| 0 0 0
free| 0 0
Histogram for block sizes:
ERROR: ld.so: object 'libmemusage.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[pwn@server etc]$ ls -l /tmp/exploit
-rw-rw-rw- 1 root pwn 48 Oct 24 13:11 /tmp/exploit
[pwn@server etc]$ whoami
pwn
|
| Posted by ante, 11-11-2010, 09:17 AM |
| dos yum update fix all ?
|
| Posted by OLM | DavidG, 11-11-2010, 09:19 AM |
| It depends on your server environment. It is best to have a security professional review the server in detail if you are not sure.
|
| Posted by Steven, 03-09-2011, 07:17 PM |
| Has anyone looked at the changelog to the latest glibc for rhel4/centos4?
https://bugzilla.redhat.com/show_bug.cgi?id=667974
https://bugzilla.redhat.com/show_bug.cgi?id=649256
The errata notice says nothing about it: https://rhn.redhat.com/errata/RHBA-2011-0248.html
I am currently investigating this internally.
Discuss!
Last edited by Steven; 03-09-2011 at 07:29 PM.
|
Add to Favourites 
Print this Article
Also Read
