[17639] in bugtraq
More modutils: It's probably worse.
daemon@ATHENA.MIT.EDU (Chris Evans)
Mon Nov 13 18:35:57 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0011132040160.1699-100000@ferret.lmh.ox.ac.uk>
Date: Mon, 13 Nov 2000 21:01:23 +0000
Reply-To: Chris Evans <chris@SCARY.BEASTS.ORG>
From: Chris Evans <chris@SCARY.BEASTS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
I think this problem is worse than originally thought. As noted by Olaf:
---
It should be noted that older Linux distributions using e.g.
modutils-2.1.121 (which I'm looking at) should be safe: before
modprobe will do _anything_ it checks the name of the requested
module against /lib/modules/modules.dep and fails if the module's
not listed. Getting "; chmod +w ." listed as a module should be
sort of tricky.
---
Unfortunately, we can subvert modutils _before_ any validation of module
name gets run. If we make the first character of our proposed module a
'-', then it will be just like we passed an option to modprobe.
modprobe -C, to specify a config file other than /etc/modules.conf, would
be an interesting route to play with.
Oh dear. Looks like a kernel issue as well as a modutils issue. Also looks
like more distributions could be affected.
I'd normally hold off posting something like this, but I guarantee black
hats have already figured this out.
Cheers
Chris
