Yep folks, this is a big one, and while the local root exploit isn't going to apply to us - Oxygen MIGHT have the newgrp binary and it might be setuid, but David uses the Openwall patches, which kill it - the DoS attack is a pretty messy one. Check here:
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21 I'm pretty sure that will wrap, so be aware of the second line for cut and paste. Basically, the local root exploit involves using newgrp - with setuid bit set - and ptrace to actually cause a root shell to spawn. LRP 2.9.8 and variations most likely do not contain this binary; I know that my 2.9.8 setup doesn't. This IS something kernel-related, as the same programs do not allow the same hole in *BSD. The DoS attack has something to do with creating massive numbers of symlinks and then dereferencing them; I haven't tried the attack script on my LRP box yet, but I'm going to as soon as I finish upgrading my server to 2.4.12-ac3. Apparently, the DoS attack is still present in at least one customized 2.4.12 kernel, so be careful of that as well. A patch was presented for 2.2.19 for both vulnerabilities; if I find LRP 2.9.8 vulnerable, I'll be compiling the patch in and will make it available. Patch follows for those who're impatient: [BEGIN PATCH] --- linux-2.2.19/fs/namei.c.orig Wed Oct 10 09:31:37 2001 +++ linux-2.2.19/fs/namei.c Wed Oct 10 10:30:56 2001 @@ -277,6 +277,15 @@ result->d_op->d_revalidate(result, flags); return result; } +/* + * Yes, this really increments the link_count by 5, and + * decrements it by 4. Together with checking against 25, + * this limits recursive symlink follows to 5, while + * limiting consecutive symlinks to 25. + * + * Without that kind of total limit, nasty chains of consecutive + * symlinks can cause almost arbitrarily long lookups. + */ static struct dentry * do_follow_link(struct dentry *base, struct dentry *dentry, unsigned int follow) { @@ -284,13 +293,17 @@ if ((follow & LOOKUP_FOLLOW) && inode && inode->i_op && inode->i_op->follow_link) { - if (current->link_count < 5) { + if (current->link_count < 25) { struct dentry * result; - current->link_count++; + if (current->need_resched) { + current->state = TASK_RUNNING; + schedule(); + } + current->link_count += 5; /* This eats the base */ - result = inode->i_op->follow_link(dentry, base, follow); - current->link_count--; + result = inode->i_op->follow_link(dentry, base, follow|LOOKUP_INSYMLINK); + current->link_count -= 4; dput(dentry); return result; } @@ -324,6 +337,8 @@ struct dentry * dentry; struct inode *inode; + if (!(lookup_flags & LOOKUP_INSYMLINK)) + current->link_count=0; if (*name == '/') { if (base) dput(base); --- linux-2.2.19/include/linux/fs.h.orig Wed Oct 10 10:06:41 2001 +++ linux-2.2.19/include/linux/fs.h Wed Oct 10 10:07:58 2001 @@ -872,6 +872,7 @@ #define LOOKUP_DIRECTORY (2) #define LOOKUP_SLASHOK (4) #define LOOKUP_CONTINUE (8) +#define LOOKUP_INSYMLINK (16) extern struct dentry * lookup_dentry(const char *, struct dentry *, unsigned int); extern struct dentry * __namei(const char *, unsigned int); diff -urP linux-2.2.19/fs/exec.c linux/fs/exec.c --- linux-2.2.19/fs/exec.c Mon Mar 26 07:13:23 2001 +++ linux/fs/exec.c Tue Oct 9 05:00:50 2001 @@ -552,12 +645,11 @@ } /* - * We mustn't allow tracing of suid binaries, unless - * the tracer has the capability to trace anything.. + * We mustn't allow tracing of suid binaries, no matter what. */ static inline int must_not_trace_exec(struct task_struct * p) { - return (p->flags & PF_PTRACED) && !cap_raised(p->p_pptr->cap_effective, CAP_SYS_PTRACE); + return (p->flags & PF_PTRACED); } /* [END PATCH] -- George Metz Commercial Routing Engineer [EMAIL PROTECTED] "We know what deterrence was with 'mutually assured destruction' during the Cold War. But what is deterrence in information warfare?" -- Brigadier General Douglas Richardson, USAF, Commander - Space Warfare Center _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
