Bugtraq mailing list archives

Re: Linux kernel sysctl() vulnerability

From: Stephen White <swhite () OX COMPSOC NET>
Date: Sun, 11 Feb 2001 12:02:32 +0000

On Sat, Feb, 2001, Florian Weimer wrote:

Chris Evans <chris () SCARY BEASTS ORG> writes:

There exists a Linux system call sysctl() which is used to query and
modify runtime system settings. Unprivileged users are permitted to query
the value of many of these settings.


The following trivial patch should fix this issue. (I wonder how you
can audit code for such vulnerabilities.  It's probably much easier to
rewrite it in Ada. ;-)


The attached kernel module should sanitise input to the sysctl sycall to
prevent the problem without forcing a kernel recompile or upgrade.  I
assume the vulnerability can't be exploited via the /proc sysctl
interface.

Unfortunately the module does nothing for the ptrace race condition,
though a module to disable ptrace would be trivial it would disable
strace and some features of gdb and so on.

--
Stephen White              \    OU Compsoc System Administration Team
PGP Key ID: 0xC79E5B6A      \      System Administration Co-ordinator
<swhite () ox compsoc net>      \         http://ox.compsoc.net/~swhite/

Attachment: sysctl_fix.c
Description:

Current thread:

Linux kernel sysctl() vulnerability Chris Evans (Feb 10)
- Re: Linux kernel sysctl() vulnerability Florian Weimer (Feb 10)
  - Re: Linux kernel sysctl() vulnerability Ryan W. Maple (Feb 10)
  - Re: Linux kernel sysctl() vulnerability Aleksander Kamil Modzelewski (Feb 10)
  - Re: Linux kernel sysctl() vulnerability Greg KH (Feb 10)
    - Re: Linux kernel sysctl() vulnerability Joost Pol2 (Feb 12)
  - Re: Linux kernel sysctl() vulnerability Stephen White (Feb 12)