[637] in linux-security and linux-alert archive
[linux-security] Big hole in sys_modify_ldt
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Wed Mar 20 15:25:47 1996
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 19 Mar 1996 21:38:56 +0100 (MET)
[mod: I thought this had been brought up on the list before, but I
didn't find it in my archive, so I'm just making sure. --okir]
Looks like the longest-living Linux security hole, probably serious
enough for a CERT advisory...
Almost all currently running Linux systems have a bug in the modify_ldt
system call, which doesn't do all necessary sanity checks. It allows
users to access all kernel memory, and there is an exploit program
which uses this to change UID of the parent process to 0. Not pretty.
The modify_ldt system call was introduced in 0.99pl11 (!) or so.
It is x86-specific (used by Wine) - Linux on non-x86 platforms
(Alpha, Sparc, m68k etc.) is not vulnerable.
Because this bug is very dangerous, and it affects so many systems,
I'm not sure if it is a good idea to post the exploit program here.
It has been posted to the linux-kernel development mailing list.
This bug has been fixed in 1.3.72. Either upgrade to this (or newer)
version, or copy the file arch/i386/kernel/ldt.c from 1.3.72 to your
current kernel source, rebuild and install the new kernel ASAP.
The patch is also available from the 1.2.13 patches WWW page:
http://trishul.sci.gu.edu.au/~tony/linux/patches.html
Credits should go to Morten Welinder <terra@diku.dk>, who reported
this bug on the linux-kernel list.
Marek
