Bugtraq mailing list archives

Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities

From: ant9000 () NETWISE IT (Antonio Galea)
Date: Thu, 15 Jun 2000 17:26:17 +0200


On Sat, 10 Jun 2000, xdr wrote:

asmlinkage int new_sys_capset(cap_user_header_t header,cap_user_data_t dataptr)
{
if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
 printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
                   "UID: %d TASK: %.15s[%d].\n",
                   current->uid, current->comm, current->pid);
 return (RETURN_EPERM ? -EPERM : -EFAULT);
}
return orig_sys_capset(header, dataptr);
}


I've tested this code against smlnx (posted a few days ago by Wojciech
Purczynski): I got a suid shell and no logging was done.

Adding a check before the 'if' shows that the current uid is 0... has this
anything to do with the fact that capset is called within a shared library?

If I understand it correctly, the other exploits used the user uid... but then,
you have no chance but to remove the check on the uid altogether (or stop using
shared libraries :) like this:

asmlinkage int new_sys_capset(cap_user_header_t header,cap_user_data_t dataptr)
{
if(!cap_raised(...


More or less, this amounts to disabling the CAP feature ;-)

Regards,
        Ant9000

--
__________________________________________________________________________
Dr. Antonio Galea           N e t   W i s e          http://www.netwise.it
Sviluppo tecnico       Advanced Network Solutions      Tel/Fax 0461.421016
--------------------------------------------------------------------------
Unix _IS_ user friendly... It's just selective about who its friends are.
--------------------------------------------------------------------------
--

Current thread:

FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random, (continued)
- - - FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
    - RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
    - CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
    - SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
    - Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
  - CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
  - Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
  - Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)
  - Call For Participation - Raid 2000 Herve Debar (Jun 16)
  - Veritas Volume Manager 3.0.x hole Dixie Flatline (Jun 16)
    - Re: Veritas Volume Manager 3.0.x hole Louis-Philippe Reid (Jun 16)
    - Perl Crypt::CBC concern Darryl Miles (Jun 17)
    - Re: Veritas Volume Manager 3.0.x hole Doug Hughes (Jun 18)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Solar Designer (Jun 17)