On Thu, 18 Oct 2001, Rafal Wojtczuk wrote: # In order for this flaw to be exploitable, /usr/bin/newgrp must be # setuid root and world-executable. Additionally, newgrp, when run with no # arguments, should not prompt for password. This # conditions are satisfied in case of most popular Linux distributions (but # not Openwall GNU/*/Linux). Well, there is a little of inaccuracy in the first sentence. This is a kernel flaw, NOT a bug in newgrp. Other suid programs can be used instead... Some distributions don't allow to export LD_* environment variables to suid binaries (glibc issue, I think). Thus the trick with LD_DEBUG does not work for them. Unfortunately, these distributions are still exploitable. Both of the preceeding paragraphs are demonstrated by the attached exploit, which is a modification of nergal's code. The same insert_hellcode program is needed. The only difference is that /bin/su is used instead of newgrp, the correct password is sent to su. Moreover, while su is waiting for the password, ptraced process can easily run any suid binary, without the need of fiddling with complex race conditions. # 2.4.12 kernel fixes both presented problems. The attached patches, # 2.2.19-deep-symlink.patch and 2.2.19-ptrace.patch, both blessed by Linus, # can be used to close the vulnerability in 2.2.19. The (updated) The patches can avoid my exploit too, of course. # rely on race-conditions. And finally, notice that under Owl LD_DEBUG is # ignored in case of suid binaries. The main conclusion of my posting is: having other versions of newgrp or ignoring LD_DEBUG is insufficient! Probably, ANY Linux distribution is vulnerable without the kernel patches! - M - PS: What about executing suid binary while some other process has our /proc/$$/mem opened for writing? Isn't there the same problem too? Unfortunately, I do not have enough time to investigate that.
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 10:59:02 PDT