Bugtraq mailing list archives

Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5

From: wp () ELZABSOFT PL (Wojciech Purczynski)
Date: Fri, 9 Jun 2000 08:59:36 +0200


A few days ago while I was coding my kernel module I discovered a problem
with Linux capability model. My idea was to drop inheritable capability
set as non-root user and then execute some setuid-root program that would
be unable to drop its privileges.

I wrote two versions of proof-of-concept exploits. The day after, I
contacted linux and sendmail developers. They created patches that have
been available since yesterday. Procmail developers have been contacted,
as well, since procmail is also affected by this kernel bug.

Exploits are attached to this message.

-wp

+--------------------------------------------------------------------+
| Wojciech Purczynski   wp () elzabsoft pl  http://www.elzabsoft.pl/~wp |
| GSM: +48604432981   Linux Administrator   SMS: wp-sms () elzabsoft pl |
+------ Public GnuPG Key:  http://www.elzabsoft.pl/~wp/gpg.asc ------+

<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: sendmail exploit
</UL>

<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: sendmail & procmail exploit
</UL>

Current thread:

Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities, (continued)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
  - format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
    - Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
    - iMesh 1.02 vulnerability Blue Panda (Jun 29)
    - Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
    - Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
  - Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
    - Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
  - Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
    - IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
    - Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
    - FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
    - RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
    - CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
    - SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)

(Thread continues...)