Debian hack: intruders got in through a known hole

At first it was only an assumption, but now administrators of the hacked Debian development server gluck have confirmed that the hackers exploited the sys_prctl hole in the output of core dumps to gain root rights. But to gain access to the system in the first place, a developer account with restricted rights had to be compromised, and the developers do not yet know how this was done. The Debian project's press release also did not state exactly when the break-in occurred, but it is clear that the intruders were not able to use their root rights for very long, because the administrators noticed strange e-mails generated by certain cron jobs on July 12. The computer was then immediately taken offline and investigated.

Apparently, the only change noticed in the system was a manipulated ping binary. Access to servers that manage archives, packets, and mailing lists was not, however, possible from there. Fortunately, gluck is back in operation again, this time without the hole in the kernel and with new keys for GPG and SSH. All of the services it offers are therefore also available once again. In the course of the investigations, the administrators took a look at a few other servers at the same time to see if they had also been broken into and to install a flawless kernel.

It is not clear why the administrators had not already updated the kernel. After all, the updates had been made available on July 6 to the public and certainly even earlier to the Debian team. Strangely, there are rumours that the hole was already known at the end of 2005 in "certain circles". There are, however, no indications that this hole was actively exploited back then. Kernel security specialist Paul Starzetz believes that the flaw more closely resembles a backdoor than a true flaw caused by carelessness.

See also:

• Update on compromise of gluck.debian.org, lock down of other debian.org machines, report on the investigation by the Debian teams

(ehe)