Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)

[Keith Owens <kaos () OCS COM AU>]

On Sun, 12 Nov 2000 22:46:53 +0100,
Michal Zalewski <lcamtuf () TPI PL> wrote:
> This vulnerability has been found by Sebastian Krahmer some time ago (he
> is posting an advisory right now). Stupid shell command execution within
> userspace kernel helper application, modprobe, is something you do not
> want to see. But it happened. I have no idea how could it be introduced in
> RH 7.0 systems and some other distros (like recent SuSE), but it was. Ugh.

Insert usual complaint about exploit being posted without contacting
maintainer first.

This bug was introduced to modutils in March 12 1999, it does not
affect modutils 2.1.121.  modprobe tries echo as the last ditch file
expansion method, using popen.  There is no good reason to do that.

> NOTE: if this exploit fails, it does not have to mean your modprobe is
> secure; it might mean your system is equipped with, for example, old
> /bin/ping utility, instead of new iputils software. You should be aware
> that RedHat released some iputils updates, which apparently seems to
> "accidentally" fix this particular way to exploit it. But this utility is
> only an instrument used to exploit the bug. You can play with other setuid
> programs, /bin/ping6, privledged services etc. Be creative.

The invoking program does not have to be setuid.  It has to pass its
parameters directly into the kernel, the kernel must be compiled with
kmod and kmod must pass the parameter directly to modprobe.

> Well, two applications were upgraded and shipped in the manner which opens
> really huge root compromise possibility. Well done, RedHat :)

This time you cannot blame on Redhat, the modprobe bug has been there
for quite a while.

Patch against modutils 2.3.19.

Index: 19.7/util/meta_expand.c
--- 19.7/util/meta_expand.c Sun, 10 Sep 2000 12:56:40 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644)
+++ 19.7(w)/util/meta_expand.c Mon, 13 Nov 2000 21:19:41 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644)
@@ -156,12 +156,8 @@ static int glob_it(char *pt, GLOB_LIST *
  */
 int meta_expand(char *pt, GLOB_LIST *g, char *base_dir, char *version)
 {
-       FILE *fin;
-       int len = 0;
-       char *line = NULL;
        char *p;
        char tmpline[PATH_MAX + 1];
-       char tmpcmd[PATH_MAX + 11];

        g->pathc = 0;
        g->pathv = NULL;
@@ -277,38 +273,6 @@ int meta_expand(char *pt, GLOB_LIST *g,
                /* Only "=" remaining, should be module options */
                split_line(g, pt, 0);
                return 0;
-       }
-
-       /*
-        * Last resort: Use "echo"
-        */
-       sprintf(tmpline, "%s%s", (base_dir ? base_dir : ""), pt);
-       sprintf(tmpcmd, "/bin/echo %s", tmpline);
-       if ((fin = popen(tmpcmd, "r")) == NULL) {
-               error("Can't execute: %s", tmpcmd);
-               return -1;
-       }
-       /* else */
-
-       /*
-        * Collect the result
-        */
-       while (fgets(tmpcmd, PATH_MAX, fin) != NULL) {
-               int l = strlen(tmpcmd);
-
-               line = (char *)xrealloc(line, len + l + 1);
-               line[len] = '\0';
-               strcat(line + len, tmpcmd);
-               len += l;
-       }
-       pclose(fin);
-
-       if (line) {
-               /* Ignore result if no expansion occurred */
-               strcat(tmpline, "\n");
-               if (strcmp(tmpline, line))
-                       split_line(g, line, 0);
-               free(line);
        }

        return 0;