Bugtraq mailing list archives

Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities

From: lionel.cons () CERN CH (Lionel Cons)
Date: Fri, 16 Jun 2000 11:48:59 +0200


Antonio Galea writes:

On Sat, 10 Jun 2000, xdr wrote:

asmlinkage int new_sys_capset(cap_user_header_t header,cap_user_data_t dataptr)
{
if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
 printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
                   "UID: %d TASK: %.15s[%d].\n",
                   current->uid, current->comm, current->pid);
 return (RETURN_EPERM ? -EPERM : -EFAULT);
}
return orig_sys_capset(header, dataptr);
}


I've tested this code against smlnx (posted a few days ago by Wojciech
Purczynski): I got a suid shell and no logging was done.


On this subject, we wrote our own kernel module to block this
bug. It's far less permissive but maybe we're just too paranoid...

You can get it from
        http://home.cern.ch/cons/capcheck

________________________________________________________
Lionel Cons        http://home.cern.ch/~cons
CERN               http://www.cern.ch

Acheson's Rule of the Bureaucracy:
        A memorandum is written not to inform the reader but to protect writer.

Current thread:

RFPolicy for vulnerability disclosure, (continued)
- - - RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
    - CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
    - SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
    - Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
  - CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
  - Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
  - Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)
  - Call For Participation - Raid 2000 Herve Debar (Jun 16)
  - Veritas Volume Manager 3.0.x hole Dixie Flatline (Jun 16)
    - Re: Veritas Volume Manager 3.0.x hole Louis-Philippe Reid (Jun 16)
    - Perl Crypt::CBC concern Darryl Miles (Jun 17)
    - Re: Veritas Volume Manager 3.0.x hole Doug Hughes (Jun 18)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Solar Designer (Jun 17)