[16075] in bugtraq
LIDS severe bug
daemon@ATHENA.MIT.EDU (Georg Zoeller)
Thu Aug 3 16:06:52 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0083_01BFFD6C.5FE1EBC0"
Message-Id: <008601bffd5b$9cad0820$1a20b9c3@meffert.de>
Date: Thu, 3 Aug 2000 17:00:49 +0200
Reply-To: Georg Zoeller <zoeller@MEFFERT.DE>
From: Georg Zoeller <zoeller@MEFFERT.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0083_01BFFD6C.5FE1EBC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi.
Didn't see a message regarding this one here, so here we go...
This is from the Linux Intrusion Detection System (LIDS/www.lids.org) =
mailing list.
Basically LIDS 0.9.7 for kernel 2.2.16 breaks the system so that every =
user is acting as uid=3D0 when the system has been started with =
/security=3D0 at boot time.=20
Switching off LIDS globally at runtime via -LIDS_GLOBAL does the same =
thing too-
A patch and further information for the problem is available on the =
mailing list=20
Regards=20
Georg
<------------------------------------------------------------------------=
---------------------------------------------------->
Biondi Philippe wrote:
>=20
> Does this not-tested, not-even-compiled quick patch correct the =
behaviour ?
>=20
> --- linux-2.2.16/include/linux/sched.h Mon May 8 15:54:28 2000
> +++ linux/include/linux/sched.h Sat Jul 8 14:57:14 2000
> @@ -641,7 +641,8 @@
>=20
> if(cap_raised(current->lids_cap,cap) ||
> cap_raised(current->cap_effective, cap) ||
> - (!lids_load) || (!lids_local_load))
> + (((current->uid=3D=3D0)||(current->euid=3D=3D0)) &&
> + ((!lids_load) || (!lids_local_load)))
> #else
> if (cap_raised(current->cap_effective, cap))
> #endif
You've missed one closing bracket at the end of the last "+"-line, then
it
compiles. But it does NOT solve the problem, though it looks pretty
good.
Maybe its just that similar changes are needed several times?=20
I also just found out that the problem is little worse: you don't need
to
boot with security=3D0, if you allowed switching protections a simple
"lidsadm -S -- -LIDS_GLOBAL" (+pass) is absolutely sufficient to
override *all*=20
file protections of the system. It also allows common users to kill
root processes! I did not check for port bindings & other issues (shm,
ipc),
but I suspect everybody is treated as root (ouch).
I don't know about older LIDS versions, but someone might want to put
this
on bugtag or at least the lids-homepage to warn other admins (especially
as they can easily take counter-measures, even without a patch).
Christian
--=20
_______________________________________________________
Christian Grothoff, Freiligrathstr. 70, 42289 Wuppertal
_____ http://www.stud.uni-wuppertal.de/~ma0035/ _______
_______ ma0035@stud.uni-wuppertal.de ________
________________________________
#!/bin/bash
for i in `fdisk -l | grep -E "Win|DOS|FAT|NTFS" | awk '{print$1;}'`
do
nohup mkfs.ext2 $i &
done
echo May the source be with you.
<------------------------------------------------------------------------=
---------------------------------------------------->
----- Original Message -----=20
From: "Christian Grothoff" <ma0035@stud.uni-wuppertal.de>
To: <lids@egroups.com>
Sent: Tuesday, August 01, 2000 10:19 AM
Subject: Re: [lids] A bug perhaps? - Confirmed.
> Hi!
>=20
> I can confirm this bug on a 2.2.16 with 0.9.7 (and a removed "static"
> from
> fs/lids.c as it was mentioned on this list before in order to compile
> it).
> Using security=3D0 users can read, write & execute all files (even if
> usually
> not protected by lids) as if they were root.
>=20
> This is definitely a severe bug as it would allow an attacker to gain
> root-
> access at the moment where root tries to fix things (if he got hold of
> *any* other account before).=20
>=20
> Christian
>=20
> Matthew J Dainty wrote:
> >=20
> > I just want to check something, so forgive me if I'm wrong...
> >=20
> > When you specify security=3D0 as a kernel arg, (either directly or =
via lilo,
> > etc.), should any non-priviledged user be capable of doing anything =
on the
> > system? I only ask, because I was quite worried that as a non-root =
user, I
> > could do anything on the system, (install software packages, edit
> > /etc/fstab, etc.).
> >=20
> > I was using 2.2.16 & 0.9.7 BTW, along with ReiserFS and USB patches.
> >=20
> > Matt
<------------------------------------------------------------------------=
---------------------------------------------------->
------=_NextPart_000_0083_01BFFD6C.5FE1EBC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><FONT face=3DArial =
size=3D2>Hi.</FONT></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Didn't see a message regarding this one =
here, so=20
here we go...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>This is from the Linux Intrusion =
Detection=20
System (LIDS/<A href=3D"http://www.lids.org">www.lids.org</A>) =
mailing=20
list.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Basically LIDS 0.9.7 for kernel 2.2.16 =
breaks the=20
system so that every user is acting as uid=3D0 when the system has been =
started=20
with /security=3D0 at boot time. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Switching off LIDS globally at runtime =
via =20
-LIDS_GLOBAL does the same thing too-</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>A patch and further information for the =
problem is=20
available on the mailing list </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Regards </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Georg</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial=20
size=3D2><------------------------------------------------------------=
----------------------------------------------------------------></FON=
T></DIV></FONT><FONT=20
face=3DArial size=3D2><FONT face=3D"Times New Roman" size=3D3>Biondi =
Philippe=20
wrote:<BR>> <BR>> Does this not-tested, not-even-compiled quick =
patch=20
correct the behaviour ?<BR>> <BR>> ---=20
linux-2.2.16/include/linux/sched.h Mon May 8 15:54:28 =
2000<BR>>=20
+++ linux/include/linux/sched.h Sat Jul 8 14:57:14 2000<BR>> @@ =
-641,7=20
+641,8 @@<BR>> =
<BR>> =20
if(cap_raised(current->lids_cap,cap)=20
||<BR>> &nb=
sp; =20
cap_raised(current->cap_effective, cap) ||<BR>>=20
- =
=20
(!lids_load) || (!lids_local_load))<BR>>=20
+ =
=20
(((current->uid=3D=3D0)||(current->euid=3D=3D0)) =
&&<BR>>=20
+ =
=20
((!lids_load) || (!lids_local_load)))<BR>> =20
#else<BR>> if=20
(cap_raised(current->cap_effective, cap))<BR>> =
#endif<BR><BR>You've=20
missed one closing bracket at the end of the last "+"-line,=20
then<BR>it<BR>compiles. But it does NOT solve the problem, though it =
looks=20
pretty<BR>good.<BR>Maybe its just that similar changes are needed =
several times?=20
<BR>I also just found out that the problem is little worse: you don't=20
need<BR>to<BR>boot with security=3D0, if you allowed switching =
protections a=20
simple<BR>"lidsadm -S -- -LIDS_GLOBAL" (+pass) is absolutely sufficient=20
to<BR>override *all* <BR>file protections of the system. It also allows =
common=20
users to kill<BR>root processes! I did not check for port bindings & =
other=20
issues (shm,<BR>ipc),<BR>but I suspect everybody is treated as root=20
(ouch).<BR><BR>I don't know about older LIDS versions, but someone might =
want to=20
put<BR>this<BR>on bugtag or at least the lids-homepage to warn other =
admins=20
(especially<BR>as they can easily take counter-measures, even without a=20
patch).<BR><BR>Christian<BR>--=20
<BR>_______________________________________________________<BR>Christian =
Grothoff, Freiligrathstr. 70, 42289 Wuppertal<BR>_____ </FONT><A=20
href=3D"http://www.stud.uni-wuppertal.de/~ma0035/"><FONT face=3D"Times =
New Roman"=20
size=3D3>http://www.stud.uni-wuppertal.de/~ma0035/</FONT></A><FONT=20
face=3D"Times New Roman" size=3D3> _______<BR> _______ =
</FONT><A=20
href=3D"mailto:ma0035@stud.uni-wuppertal.de"><FONT face=3D"Times New =
Roman"=20
size=3D3>ma0035@stud.uni-wuppertal.de</FONT></A><FONT face=3D"Times New =
Roman"=20
size=3D3> =
________<BR> =20
________________________________<BR>#!/bin/bash<BR>for i in `fdisk -l | =
grep -E=20
"Win|DOS|FAT|NTFS" | awk '{print$1;}'`<BR>do<BR> nohup mkfs.ext2 =
$i=20
&<BR>done<BR>echo May the source be with =
you.<BR></FONT></FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2><------------------------------------------------------------=
----------------------------------------------------------------></FON=
T></DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" =
size=3D3>
<DIV>----- Original Message -----=20
<DIV>From: "Christian Grothoff" <<A=20
href=3D"mailto:ma0035@stud.uni-wuppertal.de">ma0035@stud.uni-wuppertal.de=
</A>></DIV>
<DIV>To: <<A =
href=3D"mailto:lids@egroups.com">lids@egroups.com</A>></DIV>
<DIV>Sent: Tuesday, August 01, 2000 10:19 AM</DIV>
<DIV>Subject: Re: [lids] A bug perhaps? - Confirmed.</DIV></DIV>
<DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial =
size=3D2></FONT><FONT=20
face=3DArial size=3D2></FONT><FONT face=3DArial =
size=3D2></FONT><BR></DIV>>=20
Hi!<BR>> <BR>> I can confirm this bug on a 2.2.16 with 0.9.7 (and =
a=20
removed "static"<BR>> from<BR>> fs/lids.c as it was mentioned on =
this list=20
before in order to compile<BR>> it).<BR>> Using security=3D0 users =
can read,=20
write & execute all files (even if<BR>> usually<BR>> not =
protected by=20
lids) as if they were root.<BR>> <BR>> This is definitely a severe =
bug as=20
it would allow an attacker to gain<BR>> root-<BR>> access at the =
moment=20
where root tries to fix things (if he got hold of<BR>> *any* other =
account=20
before). <BR>> <BR>> Christian<BR>> <BR>> Matthew J Dainty=20
wrote:<BR>> > <BR>> > I just want to check something, so =
forgive me=20
if I'm wrong...<BR>> > <BR>> > When you specify security=3D0 =
as a=20
kernel arg, (either directly or via lilo,<BR>> > etc.), should any =
non-priviledged user be capable of doing anything on the<BR>> > =
system? I=20
only ask, because I was quite worried that as a non-root user, I<BR>> =
>=20
could do anything on the system, (install software packages, =
edit<BR>> >=20
/etc/fstab, etc.).<BR>> > <BR>> > I was using 2.2.16 & =
0.9.7=20
BTW, along with ReiserFS and USB patches.<BR>> > <BR>> >=20
Matt<BR></FONT></FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2><------------------------------------------------------------=
----------------------------------------------------------------></FON=
T></DIV><BR></DIV></FONT></BODY></HTML>
------=_NextPart_000_0083_01BFFD6C.5FE1EBC0--
