Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities
From: xdr () HERT ORG (xdr)
Date: Sat, 10 Jun 2000 00:50:46 +0200

Best thing to do would be to erradicate the problem specificly other than
disabling the capset system call all together. Linux 2.4.0 will make use
of capabilities and will need this system call for some applications to
function properly, afaik.

Here is another loadable module that will attack the problem more
specificly and log attempts to abuse this bug by calling UID and task

--- SNIP ---
 * Simple module to detect/prevent abuse of CAP_SETUID vulnerability.
 * To use:
 * amenophis(xdr)~% gcc -Wall -O2 -I/usr/src/linux/include -c cpdm.c
 * amenophis(xdr)~% su -c '/sbin/insmod cpdm.o'
 * Password:
 * Detect and prevent abuse of CAP_SETUID kernel bug: xdr () hert org
 * amenophis(xdr)~% ./cap/capset-test
 * Program attempting to possibly abuse CAP_SETUID bug: UID: 1000 TASK: capset-test[318].
 * capset returns (-1) errno (1 [Operation not permitted])
 * $Id: cpdm.c,v 1.1 2000/06/10 22:00:09 xdr Exp $

#define __KERNEL__
#define MODULE

#include <linux/modversions.h>

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/capability.h>
#include <linux/unistd.h>
#include <asm/uaccess.h>
#include <sys/syscall.h>

#define RETURN_EPERM    1

extern void *sys_call_table[];

static asmlinkage int (*orig_sys_capset)(cap_user_header_t, cap_user_data_t);

asmlinkage int new_sys_capset(cap_user_header_t header, cap_user_data_t dataptr)
        if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
                printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
                                  "UID: %d TASK: %.15s[%d].\n",
                       current->uid, current->comm, current->pid);
                return (RETURN_EPERM ? -EPERM : -EFAULT);

        return orig_sys_capset(header, dataptr);

int init_module( void )
               "Detect and prevent abuse of CAP_SETUID kernel bug: xdr () hert org\n");

        orig_sys_capset = sys_call_table[__NR_capset];
        sys_call_table[__NR_capset] = new_sys_capset;

        return 0;

void cleanup_module( void )
        sys_call_table[__NR_capset] = orig_sys_capset;
--- SNIP ---

On Thu, 8 Jun 2000, Kyle Sparger wrote:

My first shot at Linux kernel hacking - were there any other tweaks to
close this hole? ;)

I don't know what all the consequences of this are, but the module below
will disable the capset system call (which I think is necessary for the
exploit).  This is also my first shot at kernel hacking -- if I did
something stupid, please educate rather than flame :)

Note that I don't know what all uses the capabilities code, but I've been
running this module on my system here for a few hours without consequence.


Kyle Sparger - Senior System Administrator
Dialtone Internet - Extremely Fast Web Systems
(954) 581-0097 - Voice (954) 581-7629 - Fax
ksparger () dialtoneinternet net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]