OpenVZ Forum: Support » *CLOSED* Security breach

Home » General » Support » *CLOSED* Security breach :: prctl vulnerability

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

*CLOSED* Security breach :: prctl vulnerability [message #7385]

Thu, 12 October 2006 17:54

whatever
Messages: 142
Registered: September 2006

Senior Member

How is it possible the VPS owner break into main node?
I am shocked. Is openVZ really safe at all?
Anyway I can check how it was done and how it can be avoided in future?
Can anyone help me with this??????

Thanks.

[Updated on: Thu, 19 October 2006 08:28] by Moderator

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7400 is a reply to message #7385]

Fri, 13 October 2006 05:20

Vasily Tarasov
Messages: 1345
Registered: January 2006

Senior Member

It should be impossible!

Please, tell us, how do you detect, that a user from VE break into HN?

Thanks!

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7451 is a reply to message #7385]

Fri, 13 October 2006 15:05

John Kelly
Messages: 97
Registered: May 2006
Location: Palmetto State

Member

whatever wrote on Thu, 12 October 2006 13:54

How is it possible the VPS owner break into main node?

The VE has a chrooted, limited view of the filesystem. So the VE cannot "break in" to the HN filesystem.

However, the VE can use ssh to login to the HN, just like any other networked host. Maybe you have poor security on your HN. But how can we know what happened, when you don't provide detailed, factual information?

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7453 is a reply to message #7385]

Fri, 13 October 2006 16:01

whatever
Messages: 142
Registered: September 2006

Senior Member

How I detected?
In hardware node we use alert script whenever anyone login to root we get alert. And direct root login to Hardware node is disabled. To get root access one has to login as user allowed list in hardware node and then su password to get root.
There are only 2 users in hardware.
The VPS user got the access to root. And the details of VPSuser, ip, time etc were recorded in alert email.
This happened 2 times with different VPS users.
I can send the VPS root access and alert details to the developer of openvz to have a look at it.
Maybe they can understand better then me.

Thanks.

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7455 is a reply to message #7453]

Fri, 13 October 2006 16:29

John Kelly
Messages: 97
Registered: May 2006
Location: Palmetto State

Member

whatever wrote on Fri, 13 October 2006 12:01

And direct root login to Hardware node is disabled.

Maybe. Maybe not. It's possible there could be an OpenVZ bug, but it's more likely your login security is misconfigured.

If you can identify a real bug, the OpenVZ developers will fix it. That's their job. But they don't have time, and it's not their job, to train OpenVZ users how to manage system security.

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7472 is a reply to message #7385]

Sat, 14 October 2006 12:14

whatever
Messages: 142
Registered: September 2006

Senior Member

There are more people who have faced this issue.
one other guy got his access with this code
http://www.milw0rm.com/exploits/2006

Thanks

[Updated on: Sat, 14 October 2006 12:14]

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7476 is a reply to message #7385]

Sun, 15 October 2006 14:20

jason|xoxide
Messages: 20
Registered: September 2006
Location: Exton, PA

Junior Member

Well, if it's a kernel bug that only affects 2.6.17 and below then it will go away as soon as the test kernel is migrated to 2.6.18 (which they already said would be soon). You can't very well blame OpenVZ for something that is also broken in the vanilla kernel.

Jason Litka
http://www.jasonlitka.com

[Updated on: Sun, 15 October 2006 14:20]

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7477 is a reply to message #7472]

Sun, 15 October 2006 14:37

Valmont
Messages: 225
Registered: September 2005

Senior Member

You are mistaken. It can gives root access, but does _not_ break vps restrictions.

And. Do NOT use testing kernel on production. It is only for testing purposes. Use stable kernel.

[Updated on: Sun, 15 October 2006 14:42]

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7480 is a reply to message #7385]

Sun, 15 October 2006 15:18

whatever
Messages: 142
Registered: September 2006

Senior Member

I am using kernel

kernel /vmlinuz-2.6.8-022stab078.10 ro root=/dev/VolGroup00/LogVol00

Thanks

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7481 is a reply to message #7480]

Sun, 15 October 2006 15:52

Valmont
Messages: 225
Registered: September 2005

Senior Member

Well, did you try to execute this sploit?
It doesn't work on 2.6.8-022stab078.10

[Updated on: Sun, 15 October 2006 15:54]

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7538 is a reply to message #7480]

Tue, 17 October 2006 10:46

dev
Messages: 1693
Registered: September 2005
Location: Moscow

Senior Member

2.6.8 stable is not vulnerable since prctl was broken between 2.6.8 and 2.6.9.

2.6.9 stable was updated some time ago (linux-2.6.9-CVE-2006-2451-dumpable.patch)

Plus as someone already noted here, this doesn't allow to get HWN root user. Only VE root.

http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Previous Topic:	dual nic environment
Next Topic:	Problem with 0.18.1 and kmemsize

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Sun Oct 26 11:27:10 GMT 2025

Total time taken to generate the page: 0.08440 seconds