OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities
From: xdr (xdrHERT.ORG)
Date: Fri Jun 09 2000 - 17:50:46 CDT

Best thing to do would be to erradicate the problem specificly other than
disabling the capset system call all together. Linux 2.4.0 will make use
of capabilities and will need this system call for some applications to
function properly, afaik.

Here is another loadable module that will attack the problem more
specificly and log attempts to abuse this bug by calling UID and task
information.

--- SNIP ---
/*
 * Simple module to detect/prevent abuse of CAP_SETUID vulnerability.
 *
 * To use:
 *
 * amenophis(xdr)~% gcc -Wall -O2 -I/usr/src/linux/include -c cpdm.c
 * amenophis(xdr)~% su -c '/sbin/insmod cpdm.o'
 * Password:
 * Detect and prevent abuse of CAP_SETUID kernel bug: xdrhert.org
 * amenophis(xdr)~% ./cap/capset-test
 * Program attempting to possibly abuse CAP_SETUID bug: UID: 1000 TASK: capset-test[318].
 * capset returns (-1) errno (1 [Operation not permitted])
 *
 * $Id: cpdm.c,v 1.1 2000/06/10 22:00:09 xdr Exp $
 */

#define __KERNEL__
#define MODULE

#ifdef MODVERSIONS
#include <linux/modversions.h>
#endif

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/capability.h>
#include <linux/unistd.h>
#include <asm/uaccess.h>
#include <sys/syscall.h>

#define RETURN_EPERM 1

extern void *sys_call_table[];

static asmlinkage int (*orig_sys_capset)(cap_user_header_t, cap_user_data_t);

asmlinkage int new_sys_capset(cap_user_header_t header, cap_user_data_t dataptr)
{
        if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
                printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
                                  "UID: %d TASK: %.15s[%d].\n",
                       current->uid, current->comm, current->pid);
                return (RETURN_EPERM ? -EPERM : -EFAULT);
        }

        return orig_sys_capset(header, dataptr);
}

int init_module( void )
{
        printk(KERN_INFO
               "Detect and prevent abuse of CAP_SETUID kernel bug: xdrhert.org\n");

        orig_sys_capset = sys_call_table[__NR_capset];
        sys_call_table[__NR_capset] = new_sys_capset;

        return 0;
}

void cleanup_module( void )
{
        sys_call_table[__NR_capset] = orig_sys_capset;
}
--- SNIP ---

On Thu, 8 Jun 2000, Kyle Sparger wrote:

> > My first shot at Linux kernel hacking - were there any other tweaks to
> > close this hole? ;)
>
> I don't know what all the consequences of this are, but the module below
> will disable the capset system call (which I think is necessary for the
> exploit). This is also my first shot at kernel hacking -- if I did
> something stupid, please educate rather than flame :)
>
> Note that I don't know what all uses the capabilities code, but I've been
> running this module on my system here for a few hours without consequence.
>
> Thanks,
>
> Kyle Sparger - Senior System Administrator
> Dialtone Internet - Extremely Fast Web Systems
> (954) 581-0097 - Voice (954) 581-7629 - Fax
> kspargerdialtoneinternet.net
> http://www.dialtoneinternet.net