Bugtraq mailing list archives
Re: 2.4.x/Slackware Init script vulnerability
From: Derek Martin <ddm () pizzashack org>
Date: Tue, 17 Jul 2001 16:32:07 -0400
On Mon, Jul 16, 2001 at 09:53:01AM -0500, josh () pulltheplug com wrote:
I posted this to the linux kernel mailing last Friday, July 13th 2001: Submitted by : Josh (josh () pulltheplug com), lockdown (lockdown () lockeddown net) on July 16th, 2001 Vulnerability : /lib/modules/2.4.5/modules.dep Tested On : Slackware 8.0. 2.4.5 Local : Yes Remote : No Temporary Fix : umask 022 at the top of all your startup scripts Target : root Big thanks to : slider, lamagra, zen-parse Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it, cryptix, s0ttle, xphantom, qtip, tirancy, Loki, falcon-networks.com. The 2.4.x kernels starting with 2.4.3 (i think) have, after load, left a umask of 0000. This forces any files created in the bootup scripts, without the command `umask 022` issued to be world writeable. In slackware, files include /var/run/utmp and /var/run/gpm.pid. This same vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep world writeable. With this file world writeable, all an intruder need do is put something like the following in /lib/modules/`uname -r`/modules.dep assuming the system's startup scripts modprobe lp:
I messed around with this on a Red Hat 6.2 system (with modifications), by DELETING the existing /lib/modules/`uname -r`/module* files and rebooting, and got the following results: [ddm@sol ddm] $ modprobe -V modprobe version 2.4.3 modprobe: Nothing to load ??? Specify at least a module or a wildcard like \* [ddm@sol ddm] $ uname -r 2.4.5 [ddm@sol ddm] $ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) [ddm@sol ddm] $ ls -l /lib/modules/`uname -r` total 44 lrwxrwxrwx 1 root root 20 Jun 30 09:17 build -> /usr/local/src/linux/ drwxrwxr-x 5 root root 1024 Jun 30 09:17 kernel/ -rw-rw-rw- 1 root root 6778 Jul 17 08:17 modules.dep -rw-rw-rw- 1 root root 31 Jul 17 08:17 modules.generic_string -rw-rw-rw- 1 root root 519 Jul 17 08:17 modules.isapnpmap -rw-rw-rw- 1 root root 29 Jul 17 08:17 modules.parportmap -rw-rw-rw- 1 root root 10683 Jul 17 08:17 modules.pcimap -rw-rw-rw- 1 root root 18801 Jul 17 08:17 modules.usbmap drwxrwxr-x 2 root root 1024 Jun 30 09:17 pcmcia/ drwxr-xr-x 2 root root 1024 Jun 30 09:37 video/ I also did the same thing on a Red Hat 7.1 system, with modutils 2.4.2 (as shipped by Red Hat), and linux 2.4.5 (pristine), and the modules.* files were recreated with permissions 0644 upon reboot, so it seems not to be limited to just Slackware, but also not a universal problem. Since it did not happen on RH 7.1 with modutils 2.4.2, it may be that the problem is actually in modutils 2.4.3 (and later, probably), and not in earlier modutils. I think this is probably not really a kernel issue, per se. After finding these results on my RH 6.2 system, I changed the permissions on the modules.* files from 0666 to 0644 and rebooted again, and the 0644 permissions were retained when depmod -a ran from /etc/rc.d/rc.sysinit (which makes sense). I would think that modutils should set the creation mode to 0644 when creating these files. I would also think that as a security measure, modutils should verify that these files (or at least modules.dep) are not world-writable (and probably also not group writable) BEFORE loading modules as a result of listed dependencies... I'm not really sure that the kernel itself should automatically set a restrictive umask, as I would think it should be up to user-space programs to decide that; but it probably doesn't matter much either way. As a work-around for this problem (at least on Red Hat 6.2), you can chmod the files manually (assuming they already exist with the wrong permissions), and set the umask to 022 in /etc/rc.d/rc.sysinit. That should be the only place you really need to set the umask. Or, if you really want to make sure this is your system default (i.e. that all start-up scripts run with this UMASK value), you should be able to set the umask in /etc/initscript (I haven't tried it). -- --------------------------------------------------- Derek Martin | Unix/Linux geek ddm () pizzashack org | GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu
Attachment:
_bin
Description:
Current thread:
- Happy 3 month anniversary cfingerd remote bug! zen-parse (Jul 11)
- 2.4.x/Slackware Init script vulnerability josh (Jul 16)
- Re: 2.4.x/Slackware Init script vulnerability Derek Martin (Jul 17)
- Re: 2.4.x/Slackware Init script vulnerability Keith Owens (Jul 18)
- secure software philosophy (was Re: 2.4.x/Slackware Init script vulnerability) Derek Martin (Jul 18)
- Re: 2.4.x/Slackware Init script vulnerability Derek Martin (Jul 17)
- Re: 2.4.x/Slackware Init script vulnerability twiz - Perla Enrico (Jul 18)
- Re: 2.4.x/Slackware Init script vulnerability Radu-Adrian Feurdean (Jul 19)
- Re: 2.4.x/Slackware Init script vulnerability twiz - Perla Enrico (Jul 19)
- RE: 2.4.x/Slackware Init script vulnerability Jeev (Jul 19)
- 2.4.x/Slackware Init script vulnerability josh (Jul 16)