[17657] in bugtraq
Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise.
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Nov 15 14:14:16 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0011131239310.31869-100000@dione.ids.pl>
Date: Mon, 13 Nov 2000 12:44:34 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Keith Owens <kaos@ocs.com.au>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <1841.974112019@ocs3.ocs-net>
On Mon, 13 Nov 2000, Keith Owens wrote:
> The invoking program does not have to be setuid. It has to pass its
> parameters directly into the kernel, the kernel must be compiled with
> kmod and kmod must pass the parameter directly to modprobe.
net/core/dev.c, line 348:
#ifdef CONFIG_KMOD
void dev_load(const char *name)
{
if(!dev_get(name) && capable(CAP_SYS_MODULE))
request_module(name);
}
/* ...snip... */
It has to run on privledged level (or have CAP_SYS_MODULE).
> This time you cannot blame on Redhat, the modprobe bug has been there
> for quite a while.
RedHat (and some other vendors) have not audited recently introduced
code. That's all I can say. Of course it's modutils bug.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
