Full Disclosure mailing list archives
RE: Linux kernel source archive vulnerable
From: "Airey, John" <John.Airey () rnib org uk>
Date: Fri, 8 Sep 2006 13:33:02 +0100
-----BEGIN PGP SIGNED MESSAGE-----
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Hadmut Danisch Sent: 07 September 2006 19:23 To: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: [Full-disclosure] Linux kernel source archive vulnerable Hi, there's a severe vulnerability in the Linux kernel source code archives: The Linux kernel is distributed as tar archives in the form of linux-2.6.17.11.tar.bz2 from kernel.org. It is usually unpacked, configured and compiled under /usr/src. Since installing a new kernel requires root privileges, this is usually done as root. When unpacking such an archive, tar also sets the uid, gid, and file permissions given in the tar archive. Unfortunately, plenty of files and directories in that archive are world writable. E.g. in the 2.6.17.11 archive, there are 1201 world writable directories and 19554 world writable files. This opens the door for at least three kinds of attacks: 1. Whoever manages to exploit any server (e.g. PHP on a webserver) has world writable directories at a well defined place, perfect to hide any malware, bot, rootkit,... 2. Any user or intruder can modify the kernel source and thus compromise the kernel to be compiled. 3. any user or intruder could modify the build or installation system/Makefiles in order to have any kind of malware executed by root the next time a kernel is built or installed, or any other kernel module making use of the kernel tree. Solution: Ensure that the file ownership and permissions are set properly before distributing the tar archive.
The even simpler solution is to never build the linux kernel on any machine that is publicly accessible in any way, nor have a compiler on that system. In fact, ensure that system runs with the minimum amount of software necessary to provide that service. You can achieve this easily with Linux, but it is not easy with Windows. - -- John Airey, BSc (Jt Hons), CNE, RHCE Internet systems support officer, Information & Knowledge Systems Royal National Institute of the Blind, Bakewell Road, Peterborough, PE2 6XU Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk On April 23rd 2006 I completed the London Marathon in 4:26:22, about an hour slower than my target. On July 10th 2006 I rode 177km of the 191km Etape du Tour from Gap to Alpe D'Huez. On October 1st 2006 I'll be running in the Great North Run. I hope to raise £2000 for RNIB through all these events. You can sponsor me online at http://justgiving.com/rnibetape. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQEVAwUBRQFi8EVNGVRHQf+ZAQEXdwf/Wku1Uczf9ZjXSb584lsyTji1+36Yqu7V j+Qi9Plm3hKVnTanmCGbf5PawG7hufvkh87Yrduyzm1LDVdmer0wSBQRK7su4hwK oKtFAaDCr/ok/k7cUJG6215f9URIlGtfO8Zh6g6YkAf/x7DT+Ds3D1uDgIeIgLC4 dC9CE0rkHPRyLTj/wbl1wFG7ErutCBsh5JdrbIZMPTY2mFhWXQrqznBobbeMXH6o uD0iUPytKGXvPwLkJdXVmcGrT5xrKRwBWSefgv8htf0Qp9I7eDtEkTqY3d184mXV zgW5LKaWyhart8RXVXYDPYxCHr/JsgyYrxkWPMmnF/HQwnJfpwTZKA== =SAZu -----END PGP SIGNATURE----- -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux kernel source archive vulnerable Hadmut Danisch (Sep 07)
- Re: Linux kernel source archive vulnerable Raj Mathur (Sep 07)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 07)
- Re: Linux kernel source archive vulnerable Troy Cregger (Sep 07)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable FRLinux (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 07)
- Re: Linux kernel source archive vulnerable Lee Ball (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable Raj Mathur (Sep 07)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable Gerald (Jerry) Carter (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable Gerald (Jerry) Carter (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Re: Linux kernel source archive vulnerable Michael Gale (Sep 08)