-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It's definitely something to be concerned of, two recent Bugtraq
postings discuss this, see attached.
I do not have complete info right now, but here's the scoop:
Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some
earlier versions. This is fixed in 2.2.16pre6. Linux 2.0.x is not
vulnerable, I do not know of any other vulnerable OSes.
The bug is that is it somehow possible to exec sendmail without the
CAP_SETUID priv, which makes the setuid() call that sendmail
eventually
does to drop privs, fail. Big chunks of code that were never meant to
run
as root then do run as root, which is ofcourse easily exploitable
then.
This is just about all the info I have, I do not have the exploit but
I
know that some black hats do have it. A couple of boxes already got
completely trashed after being rooted through this hole, which is why
I am
making this public right now.
I did not discover this bug, I only extrapolated from the small info I
had:
'it has to do with capsuid' 'sendmail is vulnerable, crond is not'.
Some
reading of the kernel source then suggested the above to me, which has
been
confirmed by a more knowledgeable source.
Greetz, Peter.
- --
[EMAIL PROTECTED] - Peter van Dijk [student:developer:madly in love]
and this.
There is a zeroday exploit for kernel in hands of scriptkiddies.
After they rooted locally 2 system which I've intrest and did dd
if=/dev/zero of=/dev/hda1 &
on both, I spended 7 hours to finding fragments (we really need easies
tools
LDE with GUI block search capabilities)
This with help of Peter we came to the following conclusion.
This exploits gives them local root.
It works -so far investigated- on
Linux 2.2.15
Linux 2.2.14-5.0 (RedHat 6.2)
Not vulnerable 2.2.0 Kernels, 2.2.16pre6 Kernels and Freebsd 4.0
2.0.x linux kernels doesn't have capabilities, and are probally not
vulnearble
In the linux kernel there are caperbilities that gives restritions on
processen.
A process -like sendmail or httpd- can do his job as root and after
he's
finished all capabilities as root are dropped.
Someone succeeded in calling CAP_SETUID priv, Sendmail cann't drop
root to
normal user after that.
Because Sendmail isn't made to run as root, the rest of sendmail is
easy to
misabuse.
The bug in sendmail is only avaible when sendmail *probally* doesn't
checks
if the dropping of privs succeeded.
Special thanx to Peter van Dijk for his great -major part- analysis.
gtx,
Gerrie Mansur
HIT2000 Information security
www.hit2000.org
www.hit2000.nl
- -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Derek Martin
Sent: Thursday, June 08, 2000 10:32 AM
To: GNHLUG mailing list; BLU Users' Group
Subject: Linux/Sendmail Pro Security Alert (fwd)
I received this yesterday from an employee of Sendmail Inc. FYI.
Personally I think it's a marketing ploy... ;)
- ---------- Forwarded message ----------
Date: Wed, 07 Jun 2000 18:42:25 -0700
From: Tasha Lockyer <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Linux/Sendmail Pro Security Alert
LINUX/SENDMAIL PRO SECURITY ALERT
The Problem
A serious bug has been discovered in the Linux kernel that can be used
by local users to gain root access. The problem, a vulnerability in
the
Linux kernel capability model, exists in kernel versions up to and
including version 2.2.15. This problem will affect programs that drop
setuid state and rely on losing saved setuid, even those that check
that
the setuid call succeeded.
How This Affects You
Because this vulnerability can be used to attack any setuid root
program
that attempts to cede special permission, all sendmail users can be
exploited. Please note that this is NOT a sendmail security issue,
but
rather a Linux issue that can manifest itself in the sendmail program.
As a result, this problem can be exploited on Sendmail Pro for Red Hat
Linux.
How To Fix It
To resolve this issue, upgrade your Linux kernel to version 2.2.16
immediately. If you are currently unable to obtain an upgrade from
your
vendor, we strongly recommend that you upgrade from Sendmail Pro to
Sendmail Switch. Sendmail Switch 2.0.5 for Red Hat Linux includes a
check for this vulnerability in the kernel and if it is present,
refuses
to run, thus making it impossible to use sendmail to exploit the
problem. Sendmail Single Switch is available only on the Sendmail
Store
for the special promotional price of $99. To purchase this product,
please go to:
http://www2.sendmail.com/store/
For more information on the Sendmail Switch product line, please see:
http://www2.sendmail.com/products/routing/
- --
PGP/GPG Public key at
http://cerberus.ne.mediaone.net/~derek/pubkey.txt
- ------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
- ------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5
iQA/AwUBOT+16WMDobzT1rQCEQImcwCfYdBiAuBEtEj71Xg4VrrAA/sAtJkAn3jb
qtXu0Tap7ikWG/9urGaT/C8G
=FjDt
-----END PGP SIGNATURE-----
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
