>As for the gateway machine itself; it was running no server processes and
>has very little client activity - only the occasional reboot or reconfiguration.
>We had installed the 'grsec' security patch and had enabled non-executable
>user pages as a precaution against intrustion. Due to performance hits, however,
>we had not enabled ET_DYN or non-executable kernel pages.
>
Oh, you're confident that openwall-alike patches will solve your problem ? good.
I wouldn't consider installing grsecurity in order to overcome this specific matter, here goes some hints:
1. Openwall-alike patches will certainly not do anything against this problem. Take alook at the patch:
#ifdef CONFIG_GRKERNSEC_STACK
/* Check if it was return from a signal handler */
if ((regs->xcs & 0xFFFF) == __USER_CS)
if (*(unsigned char *)regs->eip == 0xC3)
<....>
does __USER_CS rings a bell? it stands for "USER CODE SEGMENT", i still don't *clearly* see any __KERNEL_CS in there :-)
Based on my previous post, which for some reason have not been moderated by our bugtraq' hangman^H^H^H^H^H^H^Hmoderator, for those wondering what was in there take a look here: http://lists.netsys.com/pipermail/full-disclosure/2002-October/002577.html
2. I would have the feeling that the vulnerability existed on grsecurity rather than on Linux (hint ;-)
3. Even if you had non-exec stack turned on, you wouldn't for sure have non-exec heap and none of the underground descriptions of this aparent vulnerability mentions stack or heap, so in resume, you're as vulnerable with the patch or without it, unless my above hint holds true. ;-)
>Yours,
>Daniel Roberts
>Head Network Manager
--
Enigmatic Arcanum
--
Personalised email by http://another.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 19:38:31 PDT