Local Root Hole in Linux Kernels

← Back to Stories (view on slashdot.org)

Local Root Hole in Linux Kernels

Posted by michael on Tuesday March 18, 2003 @08:09AM from the keep-those-users-down dept.

xepsilon writes "A local Linux security hole using ptrace has been discovered that allows a potential attacker to gain root privileges. Linux 2.2.25 has been released to correct this security hole, along with a patch for 2.4.20-pre kernels. 2.4.21 ought to contain this fix, once it is released. 2.5 is not believed to be vulnerable to this security hole. See this email from Alan Cox for details, and a patch."

10 of 495 comments (clear)

Min score:

Reason:

Sort:

Here's the text of Alans post (minus the .diff) by Mish · 2003-03-18 08:15 · Score: 4, Informative

Ptrace hole / Linux 2.2.25

To: linux-kernel@vger.kernel.org
Subject: Ptrace hole / Linux 2.2.25
From: Alan Cox
Date: Mon, 17 Mar 2003 11:04:35 -0500 (EST)
Sender: linux-kernel-owner@vger.kernel.org

-----------------------

Vulnerability: CAN-2003-0127

The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows
local users to obtain full privileges. Remote exploitation of this hole is
not possible. Linux 2.5 is not believed to be vulnerable.

Linux 2.2.25 has been released to correct Linux 2.2. It contains no other
changes. The bug fixes that would have been in 2.2.5pre1 will now appear in
2.2.26pre1. The patch will apply directly to most older 2.2 releases.

A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also
subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and
that it will not affect any software. The functionality change is specific
to unusual debugging situations.

We would like to thank Andrzej Szombierski who found the problem, and
wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van
de Ven and Ben LaHaise identified additional problems with the original
fix.

Alan
In other news... by AnriL · 2003-03-18 08:17 · Score: 5, Informative

And for the hax0rs without a local shell, there's a recent samba instant-remote-r00t vulnerability. Get your patches while they're hot!
Re:Could someone post the email up? by cyb97 · 2003-03-18 08:20 · Score: 4, Informative

linux-kernel-list
Different mirror
I guess these are the same.. haven't read the origial ./ed site, but this is from lklm and guess they're the same...
ptrace() again? by misof · 2003-03-18 08:22 · Score: 5, Informative

This is already at least the second problem somehow connected with ptrace() in the kernel. Kernels prior to 2.2.19 were vulnerable to a race-condition attack, that enabled local users to gain root privilegies. This was one of the most "famous" problems in last years and it's known as the execve/ptrace exploit.

More details:
This vulnerability exploits a race condition in the 2.2.x Linux kernel within the execve() system call. By predicting the child-process sleep() within execve(), an attacker can use ptrace() or similar mechanisms to subvert control of the child process. If the child process is setuid, the attacker can cause the child process to execute arbitrary code at an elevated privilege. There are also other known lesser security issues with Linux kernels prior to 2.2.19 which have been noted as fixed.
Re:Linux disclosure procedures? by ichimunki · 2003-03-18 08:24 · Score: 5, Informative

I don't know. Let's ask the U.S. Army what they think of Microsoft after the latest server hacking.

--
I do not have a signature
Re:Stupid question... by Xerithane · 2003-03-18 08:36 · Score: 4, Informative

Does that mean you have to be at the keyboard, or does that mean you have to have access to the box itself? (a shutdown/restart exploit?)

This means that you have to already have an existing user account on the system, running in user space. You cannot exploit the box without having (control of) a user account.

If you are at the keyboard, you can usually get root instantly on Linux. "lilo: linux single"

--
Dacels Jewelers can't be trusted.
Simple workaround by volkerdi · 2003-03-18 08:45 · Score: 5, Informative

If you can't patch this right away, you can easily work around the hole. In order to be vulnerable, you need to have kmod enabled in the kernel, and /proc/sys/kernel/modprobe must contain the name of ANY VALID EXECUTABLE. It doesn't have to be /sbin/modprobe. Even /bin/false is vulnerable on this one.

To prevent the exploit, give the kernel a bogus filename to use as modprobe, like this:

cat /this/file/aint/there > /proc/sys/kernel/modprobe

If you only use kmod to load modules at boot time, you might consider having this run after all your other init scripts, say in rc.local.

Pat
Re:Root Kit by Tom7 · 2003-03-18 08:47 · Score: 5, Informative

No, but a good bet is to reinstall MD5-verified binaries of netstat and ps, and then look for suspicious processes or network servers. All of the rootkits I've seen work by running a hidden background process, or by modifying the kernel -- and you're replacing the kernel, so that should be ok.
Patch won't apply to linux-2.4.20 by sanermind · 2003-03-18 09:16 · Score: 4, Informative

It fails on include/linux/sched.h with default patch options. Which kind of sucks. You can get it to 'work' by giving patch a fuzz-factor of 3, but then the build fails. Not a very usefull patch.
cd /usr/src
mv linux-2.4.20 linux-2.4.20_OLD
bzcat /otherhome/stor/src/linux/linux-2.4.20.tar.bz2 | tar xv
cd linux-2.4.20
patch -p1

fails at include/linux/sched.h

If you do 'patch -p1 -F 3' instead, it won't fail, but the fuzz factor obviously leads to a patch error, as the compilation breaks [as soon as include/linux/sched.h is included, BTW]

I mean, I appreciate knowing that my system is horribly vulnerable, but a WORKING FIX would sure be nice.

--

---
the pen is mightier than the sword, the sword is mightier than the court, the court is mightier than the pen.
Re:Exploitable? by GammaTau · 2003-03-18 19:53 · Score: 4, Informative

An anonymous writer at kerneltrap.org provided this link for a working exploit:
http://isec.pl/cliph/isec-ptrace-kmod-exploit.c