OpenVZ Forum



Members   Search      Help    Register    Login    Home
Home » General » Support » *CLOSED* Security breach :: prctl vulnerability
*CLOSED* Security breach :: prctl vulnerability [message #7385] Thu, 12 October 2006 13:54 Go to next message
whatever is currently offline whatever
Messages: 141
Registered: September 2006
Senior Member
 From: *176.104.245.bol.net.in
How is it possible the VPS owner break into main node?
I am shocked. Is openVZ really safe at all?
Anyway I can check how it was done and how it can be avoided in future?
Can anyone help me with this??????

Thanks.

[Updated on: Thu, 19 October 2006 04:28] by Moderator

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7400 is a reply to message #7385] Fri, 13 October 2006 01:20 Go to previous messageGo to next message
Vasily Tarasov is currently offline Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
 From: *sw.ru
It should be impossible!

Please, tell us, how do you detect, that a user from VE break into HN?

Thanks!

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7451 is a reply to message #7385] Fri, 13 October 2006 11:05 Go to previous messageGo to next message
John Kelly is currently offline John Kelly
Messages: 97
Registered: May 2006
Location: Palmetto State
Member
 From: *isp2dial.com
whatever wrote on Thu, 12 October 2006 13:54

How is it possible the VPS owner break into main node?


The VE has a chrooted, limited view of the filesystem. So the VE cannot "break in" to the HN filesystem.

However, the VE can use ssh to login to the HN, just like any other networked host. Maybe you have poor security on your HN. But how can we know what happened, when you don't provide detailed, factual information?

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7453 is a reply to message #7385] Fri, 13 October 2006 12:01 Go to previous messageGo to next message
whatever is currently offline whatever
Messages: 141
Registered: September 2006
Senior Member
 From: *176.104.245.bol.net.in
How I detected?
In hardware node we use alert script whenever anyone login to root we get alert. And direct root login to Hardware node is disabled. To get root access one has to login as user allowed list in hardware node and then su password to get root.
There are only 2 users in hardware.
The VPS user got the access to root. And the details of VPSuser, ip, time etc were recorded in alert email.
This happened 2 times with different VPS users.
I can send the VPS root access and alert details to the developer of openvz to have a look at it.
Maybe they can understand better then me.

Thanks.

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7455 is a reply to message #7453] Fri, 13 October 2006 12:29 Go to previous messageGo to next message
John Kelly is currently offline John Kelly
Messages: 97
Registered: May 2006
Location: Palmetto State
Member
 From: *isp2dial.com
whatever wrote on Fri, 13 October 2006 12:01

And direct root login to Hardware node is disabled.


Maybe. Maybe not. It's possible there could be an OpenVZ bug, but it's more likely your login security is misconfigured.

If you can identify a real bug, the OpenVZ developers will fix it. That's their job. But they don't have time, and it's not their job, to train OpenVZ users how to manage system security.

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7472 is a reply to message #7385] Sat, 14 October 2006 08:14 Go to previous messageGo to next message
whatever is currently offline whatever
Messages: 141
Registered: September 2006
Senior Member
 From: *176.104.245.bol.net.in
There are more people who have faced this issue.
one other guy got his access with this code
http://www.milw0rm.com/exploits/2006

Thanks

[Updated on: Sat, 14 October 2006 08:14]

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7476 is a reply to message #7385] Sun, 15 October 2006 10:20 Go to previous messageGo to next message
jason|xoxide is currently offline jason|xoxide
Messages: 20
Registered: September 2006
Location: Exton, PA
Junior Member
 From: *phlapa.fios.verizon.net
Well, if it's a kernel bug that only affects 2.6.17 and below then it will go away as soon as the test kernel is migrated to 2.6.18 (which they already said would be soon). You can't very well blame OpenVZ for something that is also broken in the vanilla kernel.

Jason Litka
http://www.jasonlitka.com

[Updated on: Sun, 15 October 2006 10:20]

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7477 is a reply to message #7472] Sun, 15 October 2006 10:37 Go to previous messageGo to next message
Valmont is currently offline Valmont
Messages: 225
Registered: September 2005
Senior Member
 From: *net.ru
You are mistaken. It can gives root access, but does _not_ break vps restrictions.

And. Do NOT use testing kernel on production. It is only for testing purposes. Use stable kernel.

[Updated on: Sun, 15 October 2006 10:42]

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7480 is a reply to message #7385] Sun, 15 October 2006 11:18 Go to previous messageGo to next message
whatever is currently offline whatever
Messages: 141
Registered: September 2006
Senior Member
 From: *176.104.245.bol.net.in
I am using kernel

kernel /vmlinuz-2.6.8-022stab078.10 ro root=/dev/VolGroup00/LogVol00

Thanks

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7481 is a reply to message #7480] Sun, 15 October 2006 11:52 Go to previous messageGo to next message
Valmont is currently offline Valmont
Messages: 225
Registered: September 2005
Senior Member
 From: *net.ru
Well, did you try to execute this sploit?
It doesn't work on 2.6.8-022stab078.10

[Updated on: Sun, 15 October 2006 11:54]

Report message to a moderator

Re: Security breach :: VPS owner break into main node!!!! [message #7538 is a reply to message #7480] Tue, 17 October 2006 06:46 Go to previous message
dev is currently offline dev
Messages: 1693
Registered: September 2005
Location: Moscow
Senior Member
From: *sw.ru
2.6.8 stable is not vulnerable since prctl was broken between 2.6.8 and 2.6.9.

2.6.9 stable was updated some time ago (linux-2.6.9-CVE-2006-2451-dumpable.patch)

Plus as someone already noted here, this doesn't allow to get HWN root user. Only VE root.

http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Previous Topic:dual nic environment
Next Topic:Problem with 0.18.1 and kmemsize
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Fri May 24 18:09:07 EDT 2013
Powered by FUDforum Powered by Parallels Virtuozzo Containers