Bugtraq mailing list archives

Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities

From: solar () FALSE COM (Solar Designer)
Date: Sun, 18 Jun 2000 03:18:26 +0400


Hello,

[ Disclaimer: I haven't tried any of the modules posted. ]

if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {

I've tested this code against smlnx (posted a few days ago by Wojciech
Purczynski): I got a suid shell and no logging was done.


I am assuming you ran the exploit as a non-root user.

Adding a check before the 'if' shows that the current uid is 0... has this
anything to do with the fact that capset is called within a shared library?


No.

It is likely that your kernel was built with SMP support, but you've
compiled the module without -D__SMP__.  current is defined differently
for UP and SMP builds, so current->uid might have been referring to
something other than the UID, and it could have happened to be zero.

Just something to be aware of when doing hacks like this.

Signed,
Solar Designer

Current thread:

Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC, (continued)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
  - Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
  - Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)
  - Call For Participation - Raid 2000 Herve Debar (Jun 16)
  - Veritas Volume Manager 3.0.x hole Dixie Flatline (Jun 16)
    - Re: Veritas Volume Manager 3.0.x hole Louis-Philippe Reid (Jun 16)
    - Perl Crypt::CBC concern Darryl Miles (Jun 17)
    - Re: Veritas Volume Manager 3.0.x hole Doug Hughes (Jun 18)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Solar Designer (Jun 17)