[rlug] linux kmod/ptrace bug - details (fwd)

Mihai RUSU Thu, 20 Mar 2003 00:49:12 -0800

Salut

Cred ca intereseaza pe toata lumea sa stie cand apare problema si cum se
poate scapa de ea


PS: asta imi aduce aminte de o discutie avuta acum ceva vreme; cand lumea
se contrazicea cu mine ca nu exista nici un avantaj dpdv al securitatii
daca scot suportul de module; uite inca o data dovada ca securitatea e un
proces, un compromis, as good as it gets ...

----------------------------
Mihai RUSU

Disclaimer: Any views or opinions presented within this e-mail are solely
those of the author and do not necessarily represent those of any company,
unless otherwise specifically stated.

---------- Forwarded message ----------
Date: Wed, 19 Mar 2003 20:22:45 +0100 (CET)
From: Andrzej Szombierski <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: linux kmod/ptrace bug - details


Hello

There are many discussions (on slashdot for example) on the recent linux
ptrace (& kmod) bug. I'll try to clarify what is this all about.

It's a local root vulnerability. It's exploitable only if:
1. the kernel is built with modules and kernel module loader enabled
 and
2. /proc/sys/kernel/modprobe contains the path to some valid executable
 and
3. ptrace() calls are not blocked

These conditions are met on most standard linux distros.

Ok now how it works:
When a process requests a feature which is in a module, the kernel spawns
a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe")
The problem is that before the euid change the child process can be
attached to with ptrace(). Game over, the user can insert any code into a
process which will be run with the superuser privileges.

Solutions/workarounds:
- patch the kernel
 or
- disable kmod/modules
 or
- install a ptrace-blocking module
 or
- set /proc/sys/kernel/modprobe to /any/bogus/file

A word about 2.5. kernels - these are not vulnerable because the kernel
thread spawning code has been rewritten so that the modprobe process is
spawned from keventd, it never runs with non-root uid, so it can't be
ptraced by any non-root user.

Sample exploit here (ix86-only):
http://august.v-lo.krakow.pl/~anszom/km3.c

-- 
: Andrzej Szombierski : [EMAIL PROTECTED] : [EMAIL PROTECTED] :
: [EMAIL PROTECTED] ::: radio bez kitu <=> http://bezkitu.com :


--
Pentru dezabonare, trimiteti mail la 
[EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'.
REGULI, arhive si alte informatii: http://www.lug.ro/mlist/

[rlug] linux kmod/ptrace bug - details (fwd)

Raspunde prin e-mail lui