[1731] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: New hack against BSD,

daemon@ATHENA.MIT.EDU (ymotiwala@hss.hns.com)
Tue Apr 14 03:19:59 1998

Date: Tue, 14 Apr 1998 11:47:49 +0530 (IST)
From: ymotiwala@hss.hns.com
In-reply-to: <m0yOr0n-0010KtC@scintilla.darkwater.com>
To: linux-security@redhat.com
Cc: sinster@darkwater.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


> Linux booted from LILO is not vulnerable, because bootable kernels must
> be specified ahead of time in /etc/lilo.conf, and I truly hope that no

Well, if not bootable kernel, lilo without any access restriction can run 
any program as init e.g 

	linux init=/bin/sh rw

will give you root shell.

Regards,
Yusuf

-----------------------------------------------------------------------
Yusuf Motiwala		Hughes Software Systems, 0124-346 666 ext. 2298
http://ulf.wep.net, 
http://yusuf.home.ml.org

On Mon, 13 Apr 1998 sinster@darkwater.com wrote:

> Date: Mon, 13 Apr 1998 14:43:33 -0700 (PDT)
> From: sinster@darkwater.com
> Reply-To: linux-security@redhat.com
> To: linux-security@redhat.com
> Cc: sinster@darkwater.com
> Subject: [linux-security] New hack against BSD, Linux is _mostly_ safe from it.
> Resent-Date: 14 Apr 1998 06:03:45 -0000
> Resent-From: linux-security@redhat.com
> Resent-cc: recipient list not shown: ;
> 
> My housemate has formalized a sortof new attack against unix-style
> operating systems.  He's a BSD fan, so that's where he developed the
> attack.  He asked me to check Linux, which I did.  It seems Linux is
> not vulnerable to it.  This attack is going out to BUGTRAQ tonight.
> 
> The attack isn't too serious because it requires physical access to
> the console, but it doesn't require anything like disassembling the
> machine.  It's just that you have to type into the boot prompt.
> 
> The basic attack is for an unprivileged user to copy the kernel or
> otherwise obtain a usable kernel, modify some system call to leverage 
> root access, and then to make that kernel boot.  The BSD bootloader
> allows the user to specify any arbitrary pathname to load, so this
> attack doesn't require a boot floppy, or boot CD-ROM, or anything else
> of the like.
> 
> Linux system has a publicly writable /etc/lilo.conf.  Linux booted from
> SILO _is_ vulnerable unless a boot password is specified in /etc/silo.conf,
> because SILO will otherwise allow the person at console to specify any
> arbitrary file from which to boot, just as the BSD bootloader does.  With
> the boot password specified in /etc/silo.conf, SILO will require the
> user at console to enter the boot password before loading an arbitrary
> file.
> 
> Someone who is more familiar with SILO than I should take a look at this
> to make sure that I'm right: my sparc isn't working these days, so I had
> to rely on reading the SILO source code to figure out the password
> workaround.
> 
> The specific hack that's being posted to BUGTRAQ is in the form of
> a gdb script that modifies an existing BSD kernel so that suser() always
> returns 0 (which indicates "Yes, he's a superuser" in the BSD kernel).
> Linux isn't susceptible to this specific attack because our suser()
> function is inlined.  Nevertheless, the attack could be modified so
> that it changes sys_chmod() to allow anyone to set the setuid flag.
> But luckily we're saved by our bootloaders.
> 
> I am not subscribed to linux-security (someone keeps unsubscribing
> me), so I have CC-ed myself on this message.  If a discussion develops,
> please leave me on the CC line so that I can listen in.
> 
> Thanks.
> 
> -- 
> Jon Paul Nollmann ne' Darren Senn                     sinster@darkwater.com
> Unsolicited commercial email will be archived at $1/byte/day.
> "Even a fool, when he holdeth his peace, is counted wise."   Proverbs 17:28
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null
> 
> 

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post