lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44L.0303192008160.30372-100000@kuku.eu.org>
Date: Wed, 19 Mar 2003 20:22:45 +0100 (CET)
From: Andrzej Szombierski <qq@...u.eu.org>
To: bugtraq@...urityfocus.com
Subject: linux kmod/ptrace bug - details



Hello

There are many discussions (on slashdot for example) on the recent linux 
ptrace (& kmod) bug. I'll try to clarify what is this all about.

It's a local root vulnerability. It's exploitable only if:
1. the kernel is built with modules and kernel module loader enabled
 and
2. /proc/sys/kernel/modprobe contains the path to some valid executable
 and
3. ptrace() calls are not blocked

These conditions are met on most standard linux distros.

Ok now how it works:
When a process requests a feature which is in a module, the kernel spawns
a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe")
The problem is that before the euid change the child process can be 
attached to with ptrace(). Game over, the user can insert any code into a 
process which will be run with the superuser privileges.

Solutions/workarounds:
- patch the kernel
 or
- disable kmod/modules
 or
- install a ptrace-blocking module
 or
- set /proc/sys/kernel/modprobe to /any/bogus/file

A word about 2.5. kernels - these are not vulnerable because the kernel 
thread spawning code has been rewritten so that the modprobe process is 
spawned from keventd, it never runs with non-root uid, so it can't be 
ptraced by any non-root user.

Sample exploit here (ix86-only):
http://august.v-lo.krakow.pl/~anszom/km3.c

-- 
: Andrzej Szombierski : anszom@...o.krakow.pl : qq@...u.eu.org :
: anszom@...kitu.com ::: radio bez kitu <=> http://bezkitu.com :

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ