missed a Solaris T-patch and got burned by priocntl bug...

Bruce Campbell bruce at engmail.uwaterloo.ca
Mon Apr 7 15:06:32 GMT 2003


I had 3 Solaris 7 systems up to date as far as "Security and Recommended"
patches were concerned, but I missed a T-Patch, and seemingly
missed a security advisory about it, and I got burned...

"Solaris priocntl() System Call Lets Local Users Grab Root"

  http://www.securitytracker.com/alerts/2002/Nov/1005720.html

identified Nov 2002, T-Patch released Mar 14

requires local access, which was gained through use of a
userid/password grabbed from a local unpatched Solaris machine,
which was hacked a few weeks back.

This rootkit was installed:

  http://members.xoom.virgilio.it/iglesiashot/

/var/adm/messages extract:

Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: search pid=163
Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: search pid=13224
Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: search pid=13234
Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: search pid=14619
Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: 14619
Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: 0
Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: not found

Attack came from

  1Cust9.tnt2.mln4.ita.da.uu.net

and after each breakin, a short e-mail was sent to:

  betatester1 at virgilio.it

I've reported the incident to CERT.

-- 
Bruce Campbell
Engineering Computing
CPH-2374B
University of Waterloo
(519)888-4567 ext 5889

----------------------------------------
This mail sent through www.mywaterloo.ca



More information about the unisog mailing list