[Techtalk] Debian machine compromise traced to kernel exploit

[Mary]

On Tue, Dec 02, 2003, Mary wrote:
> Recently multiple servers of the Debian project were compromised using a
> Debian developers account and an unknown root exploit. Forensics
> revealed a burneye encrypted exploit. Robert van der Meulen managed to
> decrypt the binary which revealed a kernel exploit. Study of the exploit
> by the RedHat and SuSE kernel and security teams quickly revealed that
> the exploit used an integer overflow in the brk system call. Using
> this bug it is possible for a userland program to trick the kernel into
> giving access to the full kernel address space. This problem was found
> in September by Andrew Morton, but unfortunately that was too late for
> the 2.4.22 kernel release.

Sorry, I didn't intend to send this message in its entirety or without
explanation -- hit "send" rather than "cancel" :(

The intended warning was that there appears to be a kernel exploit in
the wild sufficiently well known that it was used to successfully
exploit a number of the machines that the Debian developers themselves
use. People, especially Debian users, should check that their machines
have a kernel which is safe from this exploit.

It is, as far as I know, a local exploit though, so an attacker needs to
gain access to a local user account to use it.

-Mary