[21641] in bugtraq
Re: 2.4.x/Slackware Init script vulnerability
daemon@ATHENA.MIT.EDU (Radu-Adrian Feurdean)
Thu Jul 19 12:44:13 2001
Date: Thu, 19 Jul 2001 10:37:28 +0200 (CEST)
From: Radu-Adrian Feurdean <raf@chez.com>
To: twiz - Perla Enrico <twi@boiate.it>
Cc: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.20.0107180041490.251-100000@twisterz.twz>
Message-ID: <Pine.LNX.4.21.0107191034060.8807-100000@WormHole.Intra.ZEHC.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 18 Jul 2001, twiz - Perla Enrico wrote:
> I' ve tested it on Slackware 7.0 with kernel 2.4.5 :
> twisterz:~# uname -r
> 2.4.5
> twisterz:~#
>
> I' ve noticed that , while /var/run/utmp *is* world writable :
> twisterz:~# ls -l /var/run/utmp
> -rw-rw-rw- 1 root root 4608 Jul 17 02:27 /var/run/utmp
> twisterz:~#
> and also /var/run/gpm.pid is -rw-rw-rw-, *but* modules.dep isn' t writable
>
> twisterz:~# ls -l /lib/modules/`uname -r`/modules.dep
> -rw-r--r-- 1 root root 2688 Jul 16 19:36
> /lib/modules/2.4.5/modules.dep
> twisterz:~#
>
> So it can't be edited, and the exploit can' t work 'cause you can't
> add/change lines to modules.dep.
> I'm going to download Slackware 8.0 and test on it, btw on slak 7.0 keep
> good the possibility of, as you said :
The modules.dep file is 0666 only when using the slackware prepackaged
kernel. If you ever recompile and install your own kernel, modules.dep file is
created by make modules_install, that runs with the umask of your shell
session, and is not recreated at boot time unless you add new modules to
/lib/modules/`uname -r`/
Radu-Adrian Feurdean
mailto: raf@chez.com
------------------------------------------------------------
Teamwork is essential - it allows you to blame someone else.
