Bugtraq mailing list archives
Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities
From: xdr () HERT ORG (xdr)
Date: Sat, 10 Jun 2000 00:50:46 +0200
Best thing to do would be to erradicate the problem specificly other than
disabling the capset system call all together. Linux 2.4.0 will make use
of capabilities and will need this system call for some applications to
function properly, afaik.
Here is another loadable module that will attack the problem more
specificly and log attempts to abuse this bug by calling UID and task
information.
--- SNIP ---
/*
* Simple module to detect/prevent abuse of CAP_SETUID vulnerability.
*
* To use:
*
* amenophis(xdr)~% gcc -Wall -O2 -I/usr/src/linux/include -c cpdm.c
* amenophis(xdr)~% su -c '/sbin/insmod cpdm.o'
* Password:
* Detect and prevent abuse of CAP_SETUID kernel bug: xdr () hert org
* amenophis(xdr)~% ./cap/capset-test
* Program attempting to possibly abuse CAP_SETUID bug: UID: 1000 TASK: capset-test[318].
* capset returns (-1) errno (1 [Operation not permitted])
*
* $Id: cpdm.c,v 1.1 2000/06/10 22:00:09 xdr Exp $
*/
#define __KERNEL__
#define MODULE
#ifdef MODVERSIONS
#include <linux/modversions.h>
#endif
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/capability.h>
#include <linux/unistd.h>
#include <asm/uaccess.h>
#include <sys/syscall.h>
#define RETURN_EPERM 1
extern void *sys_call_table[];
static asmlinkage int (*orig_sys_capset)(cap_user_header_t, cap_user_data_t);
asmlinkage int new_sys_capset(cap_user_header_t header, cap_user_data_t dataptr)
{
if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
"UID: %d TASK: %.15s[%d].\n",
current->uid, current->comm, current->pid);
return (RETURN_EPERM ? -EPERM : -EFAULT);
}
return orig_sys_capset(header, dataptr);
}
int init_module( void )
{
printk(KERN_INFO
"Detect and prevent abuse of CAP_SETUID kernel bug: xdr () hert org\n");
orig_sys_capset = sys_call_table[__NR_capset];
sys_call_table[__NR_capset] = new_sys_capset;
return 0;
}
void cleanup_module( void )
{
sys_call_table[__NR_capset] = orig_sys_capset;
}
--- SNIP ---
On Thu, 8 Jun 2000, Kyle Sparger wrote:
My first shot at Linux kernel hacking - were there any other tweaks to close this hole? ;)I don't know what all the consequences of this are, but the module below will disable the capset system call (which I think is necessary for the exploit). This is also my first shot at kernel hacking -- if I did something stupid, please educate rather than flame :) Note that I don't know what all uses the capabilities code, but I've been running this module on my system here for a few hours without consequence. Thanks, Kyle Sparger - Senior System Administrator Dialtone Internet - Extremely Fast Web Systems (954) 581-0097 - Voice (954) 581-7629 - Fax ksparger () dialtoneinternet net http://www.dialtoneinternet.net
Current thread:
- Sendmail 8.10.2, Linux 2.4.0 - capabilities Valdis Kletnieks (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
- format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
- Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
- iMesh 1.02 vulnerability Blue Panda (Jun 29)
- Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
- Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
- Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
- Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)