Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Michal Zalewski (lcamtufTPI.PL)
Date: Sun Nov 12 2000 - 15:46:53 CST

Motto from the modprobe manpage: "BUGS: Naah..."

This vulnerability has been found by Sebastian Krahmer some time ago (he
is posting an advisory right now). Stupid shell command execution within
userspace kernel helper application, modprobe, is something you do not
want to see. But it happened. I have no idea how could it be introduced in
RH 7.0 systems and some other distros (like recent SuSE), but it was. Ugh.

Well, Sebastian believed this vulnerability is really difficult to exploit
(at least in standard configurations). I had the same feeling about it.
But, after being asked by Sebastian to do it, I've found some time and
decided to investigate it more carefully. First of all, I've tried to find
any way to exploit it in RH 6.2 environment with "upgraded" modprobe. No
success. Then, I've switched to brand new, shiny RH 7.0 installation. And
voila - nothing easier. Attached exploit is somewhat hackish - abusing new
ping utility in this system to exploit modprobe vulnerability. As slashes
in device name are rejected by modprobe and environment is not preserved,
this exploit works in really weird way, operating on modprobe's pwd (/),
making it world-writable for a second.

NOTE: if this exploit fails, it does not have to mean your modprobe is
secure; it might mean your system is equipped with, for example, old
/bin/ping utility, instead of new iputils software. You should be aware
that RedHat released some iputils updates, which apparently seems to
"accidentally" fix this particular way to exploit it. But this utility is
only an instrument used to exploit the bug. You can play with other setuid
programs, /bin/ping6, privledged services etc. Be creative.

Well, two applications were upgraded and shipped in the manner which opens
really huge root compromise possibility. Well done, RedHat :)

Greetings to Sebastian, of course, to Solar Designer, kil3r, Nises, Scott,
Dave, Simple Nomad, Aleph One, #hax and all the people :)

Michal Zalewski [lcamtuftpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

  • TEXT/PLAIN attachment: stored