Local Root Hole in Linux Kernels

← Back to Stories (view on slashdot.org)

Local Root Hole in Linux Kernels

Posted by michael on Tuesday March 18, 2003 @08:09AM from the keep-those-users-down dept.

xepsilon writes "A local Linux security hole using ptrace has been discovered that allows a potential attacker to gain root privileges. Linux 2.2.25 has been released to correct this security hole, along with a patch for 2.4.20-pre kernels. 2.4.21 ought to contain this fix, once it is released. 2.5 is not believed to be vulnerable to this security hole. See this email from Alan Cox for details, and a patch."

5 of 495 comments (clear)

Min score:

Reason:

Sort:

In other news... by AnriL · 2003-03-18 08:17 · Score: 5, Informative

And for the hax0rs without a local shell, there's a recent samba instant-remote-r00t vulnerability. Get your patches while they're hot!
ptrace() again? by misof · 2003-03-18 08:22 · Score: 5, Informative

This is already at least the second problem somehow connected with ptrace() in the kernel. Kernels prior to 2.2.19 were vulnerable to a race-condition attack, that enabled local users to gain root privilegies. This was one of the most "famous" problems in last years and it's known as the execve/ptrace exploit.

More details:
This vulnerability exploits a race condition in the 2.2.x Linux kernel within the execve() system call. By predicting the child-process sleep() within execve(), an attacker can use ptrace() or similar mechanisms to subvert control of the child process. If the child process is setuid, the attacker can cause the child process to execute arbitrary code at an elevated privilege. There are also other known lesser security issues with Linux kernels prior to 2.2.19 which have been noted as fixed.
Re:Linux disclosure procedures? by ichimunki · 2003-03-18 08:24 · Score: 5, Informative

I don't know. Let's ask the U.S. Army what they think of Microsoft after the latest server hacking.

--
I do not have a signature
Simple workaround by volkerdi · 2003-03-18 08:45 · Score: 5, Informative

If you can't patch this right away, you can easily work around the hole. In order to be vulnerable, you need to have kmod enabled in the kernel, and /proc/sys/kernel/modprobe must contain the name of ANY VALID EXECUTABLE. It doesn't have to be /sbin/modprobe. Even /bin/false is vulnerable on this one.

To prevent the exploit, give the kernel a bogus filename to use as modprobe, like this:

cat /this/file/aint/there > /proc/sys/kernel/modprobe

If you only use kmod to load modules at boot time, you might consider having this run after all your other init scripts, say in rc.local.

Pat
Re:Root Kit by Tom7 · 2003-03-18 08:47 · Score: 5, Informative

No, but a good bet is to reinstall MD5-verified binaries of netstat and ps, and then look for suspicious processes or network servers. All of the rootkits I've seen work by running a hidden background process, or by modifying the kernel -- and you're replacing the kernel, so that should be ok.