Оказывается, там использовалась эта новая уязвимость - Linux Kernel PRCTL Core
Dump Handling Privilege Escalation
Debian Server restored after Compromise
July 13th, 2006
One core Debian server has been reinstalled after a compromise and services
have been restored. On July 12th the host gluck.debian.org has been compromised
using a local root vulnerability in the Linux kernel. The intruder had access
to the server using a compromised developer account.
The services affected and temporarily taken down are: cvs, ddtp, lintian,
people, popcon, planet, ports and release.
Details
At least one developer account has been compromised a while ago and has been
used by an attacker to gain access to the Debian server. A recently discovered
local root vulnerability in the Linux kernel has then been used to gain root
access to the machine.
At 02:43 UTC on July 12th suspicious mails were received and alarmed the Debian
admins. The following investigation turned out that a developer account was
compromised and that a local kernel vulnerability has been exploited to gain
root access.
At 04:30 UTC on July 12th gluck has been taken offline and booted off trusted
media. Other Debian servers have been locked down for further investigation
whether they were compromised as well. They will be upgraded to a corrected
kernel before they will be unlocked.
Due to the short window between exploiting the kernel and Debian admins
noticing, the attacker hadn't had time/inclination to cause much damage. The
only obviously compromised binary was /bin/ping.
The compromised account did not have access to any of the restricted Debian
hosts. Hence, neither the regular nor the security archive had a chance to be
compromised.
An investigation of developer passwords revealed a number of weak passwords
whose accounts have been locked in response.
The machine status is here.
Kernel vulnerability
The kernel vulnerability that has been used for this compromise is referenced
as CVE-2006-2451. It only exists in the Linux kernel 2.6.13 up to versions
before 2.6.17.4, and 2.6.16 before 2.6.16.24. The bug allows a local user to
gain root privileges via the PR_SET_DUMPABLE argument of the prctl function and
a program that causes a core dump file to be created in a directory for which
the user does not have permissions.
The current stable release, Debian GNU/Linux 3.1 alias 'sarge', contains Linux
2.6.8 and is thus not affected by this problem. The compromised server ran
Linux 2.6.16.18.
If you run Linux 2.6.13 up to versions before 2.6.17.4, or Linux 2.6.16 up to
versions before 2.6.16.24, please update your kernel immediately.
About Debian
