Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround

From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Fri, 14 Jul 2006 01:58:01 +0200 (CEST)
On Thu, 13 Jul 2006, Matthew Murphy wrote:


setting 750 on /etc/cron.* would stop this exploit

Incorrect.  Did you even try this on ONE vulnerable box?  The
vulnerability exists BECAUSE the kernel doesn't enforce directory
permissions when writing a core dump.


You cannot chdir to (or access a file within) a directory to which you
have no 'execute' permission.

Cores are dumped in the current working directory of a process. You cannot
make /etc/cron.* your working directory unless the aforementioned
permission is given to you.

The exploit works by doing a chdir to that directory as an user; if the
directory is not accessible, this will fail, and the core will be dumped
in elsewhere.

The vulnerability still probably can be exploited by other means (mail
subsystem? logrotate? etc), but that probably pretty much solves the crond
vector.


If your users actually have write permissions to /etc/cron.d, do the
world a favor and disconnect from the internet as soon as humanly
possible.


You seem to be confused. Most systems do have a+rx permissions to
/etc/cron.* directories, and that most certainly helps with that exploit.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: