At 09:27 AM 6/8/00 -0500, you wrote:
>On 08-Jun-2000, Irwan Hadi wrote:
> > Buset abis, baru 2 minggu y.l keluar kernel 2.2.15, sekarang keluar 2.2.16
> > http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.16.tar.gz
> > cape update kernel di server nih, untung baru satu.
> > kalau 10 server, wah bisa repot ;(
>
>Kan tidak harus setiap ada kernel baru lalu diupgrade, kalo nggak
>butuh feature/bugfixnya buat apa?
kalau yang 2.2.16 ada lagi ;)
-----
X-Persona: <cr>
Received: by glitch.crosswinds.net (mbox irwanhadi)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Thu Jun 8 04:22:20 2000)
X-From_: [EMAIL PROTECTED] Thu Jun 8 04:21:17 2000
Return-Path: <[EMAIL PROTECTED]>
Received: from smv09.iname.net (lmtp06.iname.net [165.251.8.61])
by glitch.crosswinds.net (8.9.3/8.9.3) with SMTP id EAA45860
for <[EMAIL PROTECTED]>; Thu, 8 Jun 2000 04:21:16 -0400 (EDT)
(envelope-from [EMAIL PROTECTED])
Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])
by smv09.iname.net (8.9.3/8.9.1SMV2) with ESMTP id EAA08739;
Thu, 8 Jun 2000 04:01:32 -0400 (EDT)
Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])
by lists.securityfocus.com (Postfix) with ESMTP
id B29351F303; Wed, 7 Jun 2000 23:45:30 -0700 (PDT)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 10437465 for
[EMAIL PROTECTED]; Wed, 7 Jun 2000 23:44:43 -0700
Approved-By: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by
lists.securityfocus.com (Postfix) with SMTP id 650B71F150 for
<[EMAIL PROTECTED]>; Wed, 7 Jun 2000 15:38:21 -0700
(PDT)
Received: (qmail 11940 invoked by alias); 7 Jun 2000 22:38:31 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 11937 invoked from network); 7 Jun 2000 22:38:30 -0000
Received: from envy.vuurwerk.nl (HELO vuurwerk.nl) (194.178.232.112) by
mail.securityfocus.com with SMTP; 7 Jun 2000 22:38:30 -0000
Received: (qmail 44960 invoked from network); 7 Jun 2000 22:38:14 -0000
Received: from kesteren.vuurwerk.nl (HELO vuurwerk.nl) (194.178.232.59) by
envy.vuurwerk.nl with SMTP; 7 Jun 2000 22:38:14 -0000
Received: (qmail 42403 invoked by uid 11109); 7 Jun 2000 22:38:14 -0000
Mail-Followup-To: [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd"
X-Mailer: Mutt 1.0.1i
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 8 Jun 2000 00:38:14 +0200
Reply-To: Peter van Dijk <[EMAIL PROTECTED]>
Sender: Bugtraq List <[EMAIL PROTECTED]>
From: Peter van Dijk <[EMAIL PROTECTED]>
Subject: local root on linux 2.2.15
To: [EMAIL PROTECTED]
I do not have complete info right now, but here's the scoop:
Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some
earlier versions. This is fixed in 2.2.16pre6. Linux 2.0.x is not
vulnerable, I do not know of any other vulnerable OSes.
The bug is that is it somehow possible to exec sendmail without the
CAP_SETUID priv, which makes the setuid() call that sendmail eventually
does to drop privs, fail. Big chunks of code that were never meant to run
as root then do run as root, which is ofcourse easily exploitable then.
This is just about all the info I have, I do not have the exploit but I
know that some black hats do have it. A couple of boxes already got
completely trashed after being rooted through this hole, which is why I am
making this public right now.
I did not discover this bug, I only extrapolated from the small info I had:
'it has to do with capsuid' 'sendmail is vulnerable, crond is not'. Some
reading of the kernel source then suggested the above to me, which has been
confirmed by a more knowledgeable source.
Greetz, Peter.
--
[EMAIL PROTECTED] - Peter van Dijk [student:developer:madly in love]
local root on linux 2.2.15
--------------------
--------------------------------------------------------------------------
Utk berhenti langganan, kirim email ke [EMAIL PROTECTED]
Dapatkan FAQ milis dg mengirim email kosong ke [EMAIL PROTECTED]
Informasi arsip di http://www.linux.or.id/milis.php3
Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
