Bugtraq mailing list archives
RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Michal Zalewski <lcamtuf () TPI PL>
Date: Sun, 12 Nov 2000 22:46:53 +0100
Motto from the modprobe manpage: "BUGS: Naah..." ------------------------------------------------ This vulnerability has been found by Sebastian Krahmer some time ago (he is posting an advisory right now). Stupid shell command execution within userspace kernel helper application, modprobe, is something you do not want to see. But it happened. I have no idea how could it be introduced in RH 7.0 systems and some other distros (like recent SuSE), but it was. Ugh. Well, Sebastian believed this vulnerability is really difficult to exploit (at least in standard configurations). I had the same feeling about it. But, after being asked by Sebastian to do it, I've found some time and decided to investigate it more carefully. First of all, I've tried to find any way to exploit it in RH 6.2 environment with "upgraded" modprobe. No success. Then, I've switched to brand new, shiny RH 7.0 installation. And voila - nothing easier. Attached exploit is somewhat hackish - abusing new ping utility in this system to exploit modprobe vulnerability. As slashes in device name are rejected by modprobe and environment is not preserved, this exploit works in really weird way, operating on modprobe's pwd (/), making it world-writable for a second. NOTE: if this exploit fails, it does not have to mean your modprobe is secure; it might mean your system is equipped with, for example, old /bin/ping utility, instead of new iputils software. You should be aware that RedHat released some iputils updates, which apparently seems to "accidentally" fix this particular way to exploit it. But this utility is only an instrument used to exploit the bug. You can play with other setuid programs, /bin/ping6, privledged services etc. Be creative. Well, two applications were upgraded and shipped in the manner which opens really huge root compromise possibility. Well done, RedHat :) Greetings to Sebastian, of course, to Solar Designer, kil3r, Nises, Scott, Dave, Simple Nomad, Aleph One, #hax and all the people :) _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Attachment:
exploit
Description:
Current thread:
- RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Michal Zalewski (Nov 13)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Keith Owens (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Wichert Akkerman (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Michal Zalewski (Nov 16)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Olaf Kirch (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Keith Owens (Nov 14)