[15253] in bugtraq
Re: local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Thu Jun 8 14:28:00 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200006080930.LAA22557@cave.bitwizard.nl>
Date: Thu, 8 Jun 2000 11:30:15 +0200
Reply-To: Rogier Wolff <R.E.Wolff@BITWIZARD.NL>
From: Rogier Wolff <R.E.Wolff@BITWIZARD.NL>
X-To: Peter van Dijk <petervd@VUURWERK.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000608003814.A42233@vuurwerk.nl> from Peter van Dijk at "Jun
8, 2000 00:38:14 am"
Wojciech Purczynski (wp@elzabsoft.pl) found this and wrote a
proof-of-concept exploit. He discussed this with the appropriate
people to make sure fixes were available before he would release
the exploit and the story.
In the mean while, hints about this have leaked, and it seems someone
put all the hints together, and found out what was going on. By now a
fix is available for the Linux kernel, and the workaround in sendmail.
He'll post his story shortly, I expect.
Roger.
Peter van Dijk wrote:
> I do not have complete info right now, but here's the scoop:
> Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some
> earlier versions. This is fixed in 2.2.16pre6. Linux 2.0.x is not
> vulnerable, I do not know of any other vulnerable OSes.
>
> The bug is that is it somehow possible to exec sendmail without the
> CAP_SETUID priv, which makes the setuid() call that sendmail eventually
> does to drop privs, fail. Big chunks of code that were never meant to run
> as root then do run as root, which is ofcourse easily exploitable then.
>
> This is just about all the info I have, I do not have the exploit but I
> know that some black hats do have it. A couple of boxes already got
> completely trashed after being rooted through this hole, which is why I am
> making this public right now.
>
> I did not discover this bug, I only extrapolated from the small info I had:
> 'it has to do with capsuid' 'sendmail is vulnerable, crond is not'. Some
> reading of the kernel source then suggested the above to me, which has been
> confirmed by a more knowledgeable source.
>
> Greetz, Peter.
> --
> petervd@vuurwerk.nl - Peter van Dijk [student:developer:madly in love]
[application/pgp-signature is not supported, skipping...]
--
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* Common sense is the collection of *
****** prejudices acquired by age eighteen. -- Albert Einstein ********
