Bugtraq mailing list archives
Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Mon, 13 Nov 2000 12:44:34 +0100
On Mon, 13 Nov 2000, Keith Owens wrote:
The invoking program does not have to be setuid. It has to pass its parameters directly into the kernel, the kernel must be compiled with kmod and kmod must pass the parameter directly to modprobe.
net/core/dev.c, line 348:
#ifdef CONFIG_KMOD
void dev_load(const char *name)
{
if(!dev_get(name) && capable(CAP_SYS_MODULE))
request_module(name);
}
/* ...snip... */
It has to run on privledged level (or have CAP_SYS_MODULE).
This time you cannot blame on Redhat, the modprobe bug has been there for quite a while.
RedHat (and some other vendors) have not audited recently introduced code. That's all I can say. Of course it's modutils bug. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Michal Zalewski (Nov 13)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Keith Owens (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Wichert Akkerman (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Michal Zalewski (Nov 16)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Olaf Kirch (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Keith Owens (Nov 14)