OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: local root on linux 2.2.15
From: Tollef Fog Heen (tollefADD.NO)
Date: Sun Jun 11 2000 - 05:36:48 CDT


* Philip Guenther

| Question: given this bug, is it now the community expectation that every
| program that setuids from 0 to non-zero should check for the presence of
| this kernel bug?

Always check the return value of system calls. Always. Always.
Always.

A simple program like

#include <stdlib.h>
#include <unistd.h>
#include <linux/capability.h>

int main() {
  cap_user_header_t header;
  cap_user_data_t data;
  header = malloc(8);
  data = malloc(12);
  header->pid = 0;
  header->version = _LINUX_CAPABILITY_VERSION;
  data->inheritable = data->effective = data->permitted = 0;
  capset(header, data);
  printf ("%d\n", setuid(1000));
}

will print -1 if setuid fails and 0 on success. Like almost all other
system calls. If you get -1, die or do something equal, just don't go
on and pretend everything is in order.

| Are we going to see new versions of perl, screen, xterm, nxterm, and
| rxvt (all of which are setuid root on the Linux system in front of
| me) that contain code to detect this?

if "code to detect this" means "checks the value of system calls",
then I absolutely hope so.

--
Tollef Fog Heen
This is the unix version of the LoveBug virus and in the spirit of such it
depends on the user community to propagate. Please send this message to all
of your friends and randomly delete numerous files from your system.