Bugtraq mailing list archives
Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Keith Owens <kaos () OCS COM AU>
Date: Mon, 13 Nov 2000 21:40:19 +1100
On Sun, 12 Nov 2000 22:46:53 +0100, Michal Zalewski <lcamtuf () TPI PL> wrote:
This vulnerability has been found by Sebastian Krahmer some time ago (he is posting an advisory right now). Stupid shell command execution within userspace kernel helper application, modprobe, is something you do not want to see. But it happened. I have no idea how could it be introduced in RH 7.0 systems and some other distros (like recent SuSE), but it was. Ugh.
Insert usual complaint about exploit being posted without contacting maintainer first. This bug was introduced to modutils in March 12 1999, it does not affect modutils 2.1.121. modprobe tries echo as the last ditch file expansion method, using popen. There is no good reason to do that.
NOTE: if this exploit fails, it does not have to mean your modprobe is secure; it might mean your system is equipped with, for example, old /bin/ping utility, instead of new iputils software. You should be aware that RedHat released some iputils updates, which apparently seems to "accidentally" fix this particular way to exploit it. But this utility is only an instrument used to exploit the bug. You can play with other setuid programs, /bin/ping6, privledged services etc. Be creative.
The invoking program does not have to be setuid. It has to pass its parameters directly into the kernel, the kernel must be compiled with kmod and kmod must pass the parameter directly to modprobe.
Well, two applications were upgraded and shipped in the manner which opens really huge root compromise possibility. Well done, RedHat :)
This time you cannot blame on Redhat, the modprobe bug has been there for quite a while. Patch against modutils 2.3.19. Index: 19.7/util/meta_expand.c --- 19.7/util/meta_expand.c Sun, 10 Sep 2000 12:56:40 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644) +++ 19.7(w)/util/meta_expand.c Mon, 13 Nov 2000 21:19:41 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644) @@ -156,12 +156,8 @@ static int glob_it(char *pt, GLOB_LIST * */ int meta_expand(char *pt, GLOB_LIST *g, char *base_dir, char *version) { - FILE *fin; - int len = 0; - char *line = NULL; char *p; char tmpline[PATH_MAX + 1]; - char tmpcmd[PATH_MAX + 11]; g->pathc = 0; g->pathv = NULL; @@ -277,38 +273,6 @@ int meta_expand(char *pt, GLOB_LIST *g, /* Only "=" remaining, should be module options */ split_line(g, pt, 0); return 0; - } - - /* - * Last resort: Use "echo" - */ - sprintf(tmpline, "%s%s", (base_dir ? base_dir : ""), pt); - sprintf(tmpcmd, "/bin/echo %s", tmpline); - if ((fin = popen(tmpcmd, "r")) == NULL) { - error("Can't execute: %s", tmpcmd); - return -1; - } - /* else */ - - /* - * Collect the result - */ - while (fgets(tmpcmd, PATH_MAX, fin) != NULL) { - int l = strlen(tmpcmd); - - line = (char *)xrealloc(line, len + l + 1); - line[len] = '\0'; - strcat(line + len, tmpcmd); - len += l; - } - pclose(fin); - - if (line) { - /* Ignore result if no expansion occurred */ - strcat(tmpline, "\n"); - if (strcmp(tmpline, line)) - split_line(g, line, 0); - free(line); } return 0;
Current thread:
- RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Michal Zalewski (Nov 13)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Keith Owens (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Wichert Akkerman (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Michal Zalewski (Nov 16)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Olaf Kirch (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Keith Owens (Nov 14)