OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: local root on linux 2.2.15
From: Wojciech Purczynski (wpELZABSOFT.PL)
Date: Thu Jun 08 2000 - 03:31:33 CDT

Procmail seems to be affected by this hole if used as local-mailer for
sendmail. If CAP_SETUID bit is cleared procmail doesn't drop privileges
and may execute luser's program that mail is forwarded to in
~user/.procmailrc with root privileges.

-wp

On Thu, 8 Jun 2000, Peter van Dijk wrote:

> I do not have complete info right now, but here's the scoop:
> Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some
> earlier versions. This is fixed in 2.2.16pre6. Linux 2.0.x is not
> vulnerable, I do not know of any other vulnerable OSes.
>
> The bug is that is it somehow possible to exec sendmail without the
> CAP_SETUID priv, which makes the setuid() call that sendmail eventually
> does to drop privs, fail. Big chunks of code that were never meant to run
> as root then do run as root, which is ofcourse easily exploitable then.
>
> This is just about all the info I have, I do not have the exploit but I
> know that some black hats do have it. A couple of boxes already got
> completely trashed after being rooted through this hole, which is why I am
> making this public right now.
>
> I did not discover this bug, I only extrapolated from the small info I had:
> 'it has to do with capsuid' 'sendmail is vulnerable, crond is not'. Some
> reading of the kernel source then suggested the above to me, which has been
> confirmed by a more knowledgeable source.
>
> Greetz, Peter.
>

+--------------------------------------------------------------------+
| Wojciech Purczynski wpelzabsoft.pl http://www.elzabsoft.pl/~wp |
| GSM: +48604432981 Linux Administrator SMS: wp-smselzabsoft.pl |
+------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+