[21590] in bugtraq
Re: 2.4.x/Slackware Init script vulnerability
daemon@ATHENA.MIT.EDU (Derek Martin)
Tue Jul 17 18:32:41 2001
Date: Tue, 17 Jul 2001 16:32:07 -0400
From: Derek Martin <ddm@pizzashack.org>
To: josh@pulltheplug.com
Cc: bugtraq@securityfocus.com
Message-ID: <20010717163206.A976@pizzashack.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.33.0107160942220.11998-100000@shell.pulltheplug.com>; from josh@pulltheplug.com on Mon, Jul 16, 2001 at 09:53:01AM -0500
--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Mon, Jul 16, 2001 at 09:53:01AM -0500, josh@pulltheplug.com wrote:
> I posted this to the linux kernel mailing last Friday, July 13th 2001:
>
> Submitted by : Josh (josh@pulltheplug.com), lockdown
> (lockdown@lockeddown.net) on July 16th, 2001
> Vulnerability : /lib/modules/2.4.5/modules.dep
> Tested On : Slackware 8.0. 2.4.5
> Local : Yes
> Remote : No
> Temporary Fix : umask 022 at the top of all your startup scripts
> Target : root
> Big thanks to : slider, lamagra, zen-parse
> Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
> cryptix, s0ttle, xphantom, qtip, tirancy, Loki,
> falcon-networks.com.
>
> The 2.4.x kernels starting with 2.4.3 (i think) have, after
> load, left a umask of 0000. This forces any files created in the bootup
> scripts, without the command `umask 022` issued to be world writeable.
> In slackware, files include /var/run/utmp and /var/run/gpm.pid. This same
> vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep
> world writeable. With this file world writeable, all an intruder need do is
> put something like the following in /lib/modules/`uname -r`/modules.dep
> assuming the system's startup scripts modprobe lp:
I messed around with this on a Red Hat 6.2 system (with
modifications), by DELETING the existing
/lib/modules/`uname -r`/module* files and rebooting,
and got the following results:
[ddm@sol ddm]
$ modprobe -V
modprobe version 2.4.3
modprobe: Nothing to load ???
Specify at least a module or a wildcard like \*
[ddm@sol ddm]
$ uname -r
2.4.5
[ddm@sol ddm]
$ cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
[ddm@sol ddm]
$ ls -l /lib/modules/`uname -r`
total 44
lrwxrwxrwx 1 root root 20 Jun 30 09:17 build -> /usr/local/src/linux/
drwxrwxr-x 5 root root 1024 Jun 30 09:17 kernel/
-rw-rw-rw- 1 root root 6778 Jul 17 08:17 modules.dep
-rw-rw-rw- 1 root root 31 Jul 17 08:17 modules.generic_string
-rw-rw-rw- 1 root root 519 Jul 17 08:17 modules.isapnpmap
-rw-rw-rw- 1 root root 29 Jul 17 08:17 modules.parportmap
-rw-rw-rw- 1 root root 10683 Jul 17 08:17 modules.pcimap
-rw-rw-rw- 1 root root 18801 Jul 17 08:17 modules.usbmap
drwxrwxr-x 2 root root 1024 Jun 30 09:17 pcmcia/
drwxr-xr-x 2 root root 1024 Jun 30 09:37 video/
I also did the same thing on a Red Hat 7.1 system, with modutils 2.4.2
(as shipped by Red Hat), and linux 2.4.5 (pristine), and the modules.*
files were recreated with permissions 0644 upon reboot, so it seems
not to be limited to just Slackware, but also not a universal problem.
Since it did not happen on RH 7.1 with modutils 2.4.2, it may be that
the problem is actually in modutils 2.4.3 (and later, probably), and
not in earlier modutils. I think this is probably not really a kernel
issue, per se.
After finding these results on my RH 6.2 system, I changed the
permissions on the modules.* files from 0666 to 0644 and rebooted
again, and the 0644 permissions were retained when depmod -a ran from
/etc/rc.d/rc.sysinit (which makes sense).
I would think that modutils should set the creation mode to 0644 when
creating these files. I would also think that as a security measure,
modutils should verify that these files (or at least modules.dep) are
not world-writable (and probably also not group writable) BEFORE
loading modules as a result of listed dependencies... I'm not really
sure that the kernel itself should automatically set a restrictive
umask, as I would think it should be up to user-space programs to
decide that; but it probably doesn't matter much either way.
As a work-around for this problem (at least on Red Hat 6.2), you can
chmod the files manually (assuming they already exist with the wrong
permissions), and set the umask to 022 in /etc/rc.d/rc.sysinit. That
should be the only place you really need to set the umask. Or, if you
really want to make sure this is your system default (i.e. that all
start-up scripts run with this UMASK value), you should be able to set
the umask in /etc/initscript (I haven't tried it).
--
---------------------------------------------------
Derek Martin | Unix/Linux geek
ddm@pizzashack.org | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjtUoMMACgkQdjdlQoHP512DGgCeJe98u/6esCRuO7Zbdz8TM5IB
aNEAni7hcSTxF5FBOH0TELZHvh+ry55e
=D3Te
-----END PGP SIGNATURE-----
--W/nzBZO5zC0uMSeA--
