RE: Linux kernel source archive vulnerable

["Airey, John" <John.Airey () rnib org uk>]

-----BEGIN PGP SIGNED MESSAGE-----

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk 
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
> Of Hadmut Danisch
> Sent: 07 September 2006 19:23
> To: full-disclosure () lists grok org uk; bugtraq () securityfocus com
> Subject: [Full-disclosure] Linux kernel source archive vulnerable
>
> Hi,
>
> there's a severe vulnerability in the Linux kernel source 
> code archives:
>
>
> The Linux kernel is distributed as tar archives in the form of
> linux-2.6.17.11.tar.bz2 from kernel.org. It is usually unpacked,
> configured and compiled under /usr/src. Since installing a new
> kernel requires root privileges, this is usually done as root.
>
> When unpacking such an archive, tar also sets the uid, gid, and
> file permissions given in the tar archive. Unfortunately, plenty 
> of files and
> directories in that archive are world writable. E.g. in the
> 2.6.17.11 archive, there are 1201 world writable directories and
> 19554 world writable files.
>
> This opens the door for at least three kinds of attacks:
>
>
> 1. Whoever manages to exploit any server (e.g. PHP on a webserver)
> has 
>    world writable directories at a well defined place, perfect to
> hide 
>    any malware, bot, rootkit,...
>
> 2. Any user or intruder can modify the kernel source and thus 
> compromise
>    the kernel to be compiled.
>
> 3. any user or intruder could modify the build or installation
>    system/Makefiles in order to have any kind of malware executed
> by 
>    root the next time a kernel is built or installed, or any other
>    kernel module making use of the kernel tree.
>
>
> Solution: Ensure that the file ownership and permissions are set
> properly before distributing the tar archive.

The even simpler solution is to never build the linux kernel on any
machine that is publicly accessible in any way, nor have a compiler
on that system. In fact, ensure that system runs with the minimum
amount of software necessary to provide that service. You can achieve
this easily with Linux, but it is not easy with Windows.

- -- 
John Airey, BSc (Jt Hons), CNE, RHCE
Internet systems support officer, Information & Knowledge Systems 
Royal National Institute of the Blind, Bakewell Road, Peterborough,
PE2 6XU
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848
John.Airey () rnib org uk 

On April 23rd 2006 I completed the London Marathon in 4:26:22, about
an hour slower than my target. On July 10th 2006 I rode 177km of the
191km Etape du Tour from Gap to Alpe D'Huez. On October 1st 2006 I'll
be running in the Great North Run. I hope to raise £2000 for RNIB
through all these events. You can sponsor me online at
http://justgiving.com/rnibetape. 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQEVAwUBRQFi8EVNGVRHQf+ZAQEXdwf/Wku1Uczf9ZjXSb584lsyTji1+36Yqu7V
j+Qi9Plm3hKVnTanmCGbf5PawG7hufvkh87Yrduyzm1LDVdmer0wSBQRK7su4hwK
oKtFAaDCr/ok/k7cUJG6215f9URIlGtfO8Zh6g6YkAf/x7DT+Ds3D1uDgIeIgLC4
dC9CE0rkHPRyLTj/wbl1wFG7ErutCBsh5JdrbIZMPTY2mFhWXQrqznBobbeMXH6o
uD0iUPytKGXvPwLkJdXVmcGrT5xrKRwBWSefgv8htf0Qp9I7eDtEkTqY3d184mXV
zgW5LKaWyhart8RXVXYDPYxCHr/JsgyYrxkWPMmnF/HQwnJfpwTZKA==
=SAZu
-----END PGP SIGNATURE-----

-- 
DISCLAIMER:

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged.  If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system.

RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants.  However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent
those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/