Bugtraq mailing list archives
Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities
From: ant9000 () NETWISE IT (Antonio Galea)
Date: Thu, 15 Jun 2000 17:26:17 +0200
On Sat, 10 Jun 2000, xdr wrote:
asmlinkage int new_sys_capset(cap_user_header_t header,cap_user_data_t dataptr) { if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) { printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: " "UID: %d TASK: %.15s[%d].\n", current->uid, current->comm, current->pid); return (RETURN_EPERM ? -EPERM : -EFAULT); } return orig_sys_capset(header, dataptr); }
I've tested this code against smlnx (posted a few days ago by Wojciech Purczynski): I got a suid shell and no logging was done. Adding a check before the 'if' shows that the current uid is 0... has this anything to do with the fact that capset is called within a shared library? If I understand it correctly, the other exploits used the user uid... but then, you have no chance but to remove the check on the uid altogether (or stop using shared libraries :) like this:
asmlinkage int new_sys_capset(cap_user_header_t header,cap_user_data_t dataptr) { if(!cap_raised(...
More or less, this amounts to disabling the CAP feature ;-) Regards, Ant9000 -- __________________________________________________________________________ Dr. Antonio Galea N e t W i s e http://www.netwise.it Sviluppo tecnico Advanced Network Solutions Tel/Fax 0461.421016 -------------------------------------------------------------------------- Unix _IS_ user friendly... It's just selective about who its friends are. -------------------------------------------------------------------------- --
Current thread:
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random, (continued)
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
- RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
- CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
- SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
- Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
- Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
- Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)
- Call For Participation - Raid 2000 Herve Debar (Jun 16)
- Veritas Volume Manager 3.0.x hole Dixie Flatline (Jun 16)
- Re: Veritas Volume Manager 3.0.x hole Louis-Philippe Reid (Jun 16)
- Perl Crypt::CBC concern Darryl Miles (Jun 17)
- Re: Veritas Volume Manager 3.0.x hole Doug Hughes (Jun 18)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Solar Designer (Jun 17)