Bugtraq mailing list archives

Re: local root on linux 2.2.15

From: wp () ELZABSOFT PL (Wojciech Purczynski)
Date: Thu, 15 Jun 2000 08:51:57 +0200


On Wed, 14 Jun 2000, Jeff Dafoe wrote:

=====
Note that checking the return value from setuid() is insufficient;
the setuid(getuid()) succeeds even when the process does not have
"appropriate privileges."
=====


I don't mean the bug in kernel not setting saved UID.

I mean that if process has CAP_SETUID bit cleared and its UID=EUID=0 it
is unable to change its UID and drop privileges. In this scenario process
doesn't need to do setuid(0) after setuid(500) (like sendmail does) to
restore its privilege which normally fails.

As example we may look at procmail. If it is executed from sendmail as
local-mailer with UID=EUID=0 it tried to do setreuid(500, -1) followed by
setuid(500). Both these functions return -EPERM. Procmail ignores the
error value and continues running and forwarding our mail with root
privileges.

+--------------------------------------------------------------------+
| Wojciech Purczynski   wp () elzabsoft pl  http://www.elzabsoft.pl/~wp |
| GSM: +48604432981   Linux Administrator   SMS: wp-sms () elzabsoft pl |
+------ Public GnuPG Key:  http://www.elzabsoft.pl/~wp/gpg.asc ------+

Current thread:

local root on linux 2.2.15 Peter van Dijk (Jun 07)
- Mcafee Alerting DOS vulnerability Harry Schmilllson (Jun 07)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 08)
  - Re: local root on linux 2.2.15 Tomasz Grabowski (Jun 08)
  - Re: local root on linux 2.2.15 Philip Guenther (Jun 08)
    - Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 12)
    - Re: local root on linux 2.2.15 Jeff Dafoe (Jun 14)
    - Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 14)
    - MS-040 'proof of concept' code Renaud Deraison (Jun 13)
- Re: local root on linux 2.2.15 Rogier Wolff (Jun 08)
- <Possible follow-ups>
- Re: local root on linux 2.2.15 Tollef Fog Heen (Jun 11)
  - Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
    - Re: local root on linux 2.2.15 Firstname Lastname (Jun 15)
    - Re: local root on linux 2.2.15 Robert Watson (Jun 18)
    - Net Tools PKI server exploits Jim Stickley (Jun 19)
    - XFree86: libICE DoS Chris Evans (Jun 19)
    - XFree86: Various nasty libX11 holes Chris Evans (Jun 19)
    - XFree86: xdm flaw; present in kdm Chris Evans (Jun 19)

(Thread continues...)