Bugtraq mailing list archives
local root on linux 2.2.15
From: petervd () VUURWERK NL (Peter van Dijk)
Date: Thu, 8 Jun 2000 00:38:14 +0200
I do not have complete info right now, but here's the scoop: Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some earlier versions. This is fixed in 2.2.16pre6. Linux 2.0.x is not vulnerable, I do not know of any other vulnerable OSes. The bug is that is it somehow possible to exec sendmail without the CAP_SETUID priv, which makes the setuid() call that sendmail eventually does to drop privs, fail. Big chunks of code that were never meant to run as root then do run as root, which is ofcourse easily exploitable then. This is just about all the info I have, I do not have the exploit but I know that some black hats do have it. A couple of boxes already got completely trashed after being rooted through this hole, which is why I am making this public right now. I did not discover this bug, I only extrapolated from the small info I had: 'it has to do with capsuid' 'sendmail is vulnerable, crond is not'. Some reading of the kernel source then suggested the above to me, which has been confirmed by a more knowledgeable source. Greetz, Peter. -- petervd () vuurwerk nl - Peter van Dijk [student:developer:madly in love] <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- local root on linux 2.2.15 Peter van Dijk (Jun 07)
- Mcafee Alerting DOS vulnerability Harry Schmilllson (Jun 07)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 08)
- Re: local root on linux 2.2.15 Tomasz Grabowski (Jun 08)
- Re: local root on linux 2.2.15 Philip Guenther (Jun 08)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 12)
- Re: local root on linux 2.2.15 Jeff Dafoe (Jun 14)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 14)
- MS-040 'proof of concept' code Renaud Deraison (Jun 13)
- <Possible follow-ups>
- Re: local root on linux 2.2.15 Tollef Fog Heen (Jun 11)