Bugtraq mailing list archives
Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Olaf Kirch <okir () CALDERA DE>
Date: Mon, 13 Nov 2000 13:26:17 +0100
On Sun, Nov 12, 2000 at 10:46:53PM +0100, Michal Zalewski wrote:
This vulnerability has been found by Sebastian Krahmer some time ago (he is posting an advisory right now).
This issue has been discussed as far back as 1996 or so on the linux-security list, when the module requester du jour was called kerneld. It should be noted that older Linux distributions using e.g. modutils-2.1.121 (which I'm looking at) should be safe: before modprobe will do _anything_ it checks the name of the requested module against /lib/modules/modules.dep and fails if the module's not listed. Getting "; chmod +w ." listed as a module should be sort of tricky. Of course, this still allowed you to load load e.g. the ISO9660 file system driver doing "ifconfig iso9660" as an ordinary user. But there was some sort of consensus that this shouldn't be considered a problem (if a module turns out to be buggy, remove it). One of those issues that can be argued to death... My main concern back then has been that all the protection against "bad" module names was in modprobe, and all it took to turn this into a serious hole was for someone to mess up modprobe (which they did now, apparently).
only an instrument used to exploit the bug. You can play with other setuid programs, /bin/ping6, privledged services etc. Be creative.
Right. It should be noted that fixing the setuid case is probably not enough because you may have privileged services do things that ultimately trigger a kmod call. A good fix IMHO (suggested by Torsten Duwe) is to make the _kernel_ check the requested module to make sure that the name consists of alphanumerics, dash and underscore exclusively. Oh yeah, and stop using system/popen in system applications. What does it take to drive this point home? Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Michal Zalewski (Nov 13)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Keith Owens (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Wichert Akkerman (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Michal Zalewski (Nov 16)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Olaf Kirch (Nov 14)
- Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) Keith Owens (Nov 14)