OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Derek Martin (ddmpizzashack.org)
Date: Tue Jul 17 2001 - 15:32:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Mon, Jul 16, 2001 at 09:53:01AM -0500, joshpulltheplug.com wrote:

    > I posted this to the linux kernel mailing last Friday, July 13th 2001:
    >
    > Submitted by : Josh (joshpulltheplug.com), lockdown
    > (lockdownlockeddown.net) on July 16th, 2001
    > Vulnerability : /lib/modules/2.4.5/modules.dep
    > Tested On : Slackware 8.0. 2.4.5
    > Local : Yes
    > Remote : No
    > Temporary Fix : umask 022 at the top of all your startup scripts
    > Target : root
    > Big thanks to : slider, lamagra, zen-parse
    > Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
    > cryptix, s0ttle, xphantom, qtip, tirancy, Loki,
    > falcon-networks.com.
    >
    > The 2.4.x kernels starting with 2.4.3 (i think) have, after
    > load, left a umask of 0000. This forces any files created in the bootup
    > scripts, without the command `umask 022` issued to be world writeable.
    > In slackware, files include /var/run/utmp and /var/run/gpm.pid. This same
    > vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep
    > world writeable. With this file world writeable, all an intruder need do is
    > put something like the following in /lib/modules/`uname -r`/modules.dep
    > assuming the system's startup scripts modprobe lp:

    I messed around with this on a Red Hat 6.2 system (with
    modifications), by DELETING the existing
    /lib/modules/`uname -r`/module* files and rebooting,
    and got the following results:

      [ddmsol ddm]
      $ modprobe -V
      modprobe version 2.4.3
      modprobe: Nothing to load ???
      Specify at least a module or a wildcard like \*
      [ddmsol ddm]
      $ uname -r
      2.4.5
      [ddmsol ddm]
      $ cat /etc/redhat-release
      Red Hat Linux release 6.2 (Zoot)
      [ddmsol ddm]
      $ ls -l /lib/modules/`uname -r`
      total 44
      lrwxrwxrwx 1 root root 20 Jun 30 09:17 build -> /usr/local/src/linux/
      drwxrwxr-x 5 root root 1024 Jun 30 09:17 kernel/
      -rw-rw-rw- 1 root root 6778 Jul 17 08:17 modules.dep
      -rw-rw-rw- 1 root root 31 Jul 17 08:17 modules.generic_string
      -rw-rw-rw- 1 root root 519 Jul 17 08:17 modules.isapnpmap
      -rw-rw-rw- 1 root root 29 Jul 17 08:17 modules.parportmap
      -rw-rw-rw- 1 root root 10683 Jul 17 08:17 modules.pcimap
      -rw-rw-rw- 1 root root 18801 Jul 17 08:17 modules.usbmap
      drwxrwxr-x 2 root root 1024 Jun 30 09:17 pcmcia/
      drwxr-xr-x 2 root root 1024 Jun 30 09:37 video/

    I also did the same thing on a Red Hat 7.1 system, with modutils 2.4.2
    (as shipped by Red Hat), and linux 2.4.5 (pristine), and the modules.*
    files were recreated with permissions 0644 upon reboot, so it seems
    not to be limited to just Slackware, but also not a universal problem.
    Since it did not happen on RH 7.1 with modutils 2.4.2, it may be that
    the problem is actually in modutils 2.4.3 (and later, probably), and
    not in earlier modutils. I think this is probably not really a kernel
    issue, per se.

    After finding these results on my RH 6.2 system, I changed the
    permissions on the modules.* files from 0666 to 0644 and rebooted
    again, and the 0644 permissions were retained when depmod -a ran from
    /etc/rc.d/rc.sysinit (which makes sense).

    I would think that modutils should set the creation mode to 0644 when
    creating these files. I would also think that as a security measure,
    modutils should verify that these files (or at least modules.dep) are
    not world-writable (and probably also not group writable) BEFORE
    loading modules as a result of listed dependencies... I'm not really
    sure that the kernel itself should automatically set a restrictive
    umask, as I would think it should be up to user-space programs to
    decide that; but it probably doesn't matter much either way.

    As a work-around for this problem (at least on Red Hat 6.2), you can
    chmod the files manually (assuming they already exist with the wrong
    permissions), and set the umask to 022 in /etc/rc.d/rc.sysinit. That
    should be the only place you really need to set the umask. Or, if you
    really want to make sure this is your system default (i.e. that all
    start-up scripts run with this UMASK value), you should be able to set
    the umask in /etc/initscript (I haven't tried it). 

    -- 
---------------------------------------------------
Derek Martin          |   Unix/Linux geek
ddmpizzashack.org    |   GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjtUoMMACgkQdjdlQoHP512DGgCeJe98u/6esCRuO7Zbdz8TM5IB aNEAni7hcSTxF5FBOH0TELZHvh+ry55e =D3Te -----END PGP SIGNATURE-----