[15235] in bugtraq
local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Thu Jun 8 02:56:45 2000
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd"
Message-Id: <20000608003814.A42233@vuurwerk.nl>
Date: Thu, 8 Jun 2000 00:38:14 +0200
Reply-To: Peter van Dijk <petervd@VUURWERK.NL>
From: Peter van Dijk <petervd@VUURWERK.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
I do not have complete info right now, but here's the scoop:
Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some
earlier versions. This is fixed in 2.2.16pre6. Linux 2.0.x is not
vulnerable, I do not know of any other vulnerable OSes.
The bug is that is it somehow possible to exec sendmail without the
CAP_SETUID priv, which makes the setuid() call that sendmail eventually
does to drop privs, fail. Big chunks of code that were never meant to run
as root then do run as root, which is ofcourse easily exploitable then.
This is just about all the info I have, I do not have the exploit but I
know that some black hats do have it. A couple of boxes already got
completely trashed after being rooted through this hole, which is why I am
making this public right now.
I did not discover this bug, I only extrapolated from the small info I had:
'it has to do with capsuid' 'sendmail is vulnerable, crond is not'. Some
reading of the kernel source then suggested the above to me, which has been
confirmed by a more knowledgeable source.
Greetz, Peter.
--=20
petervd@vuurwerk.nl - Peter van Dijk [student:developer:madly in love]
--vkogqOf2sHV7VnPd
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE5Ps7VbGgPAjHkJggRATM1AJ4gaOrqmDm/RUl99oGRwmkkUhBTpgCfaiu0
kluDyiPjWkyJNtWjh0IWxHE=
=XZ5/
-----END PGP SIGNATURE-----
--vkogqOf2sHV7VnPd--
