Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Keith Owens <kaos () OCS COM AU>
Date: Mon, 13 Nov 2000 21:40:19 +1100

On Sun, 12 Nov 2000 22:46:53 +0100,
Michal Zalewski <lcamtuf () TPI PL> wrote:
This vulnerability has been found by Sebastian Krahmer some time ago (he
is posting an advisory right now). Stupid shell command execution within
userspace kernel helper application, modprobe, is something you do not
want to see. But it happened. I have no idea how could it be introduced in
RH 7.0 systems and some other distros (like recent SuSE), but it was. Ugh.

Insert usual complaint about exploit being posted without contacting
maintainer first.

This bug was introduced to modutils in March 12 1999, it does not
affect modutils 2.1.121.  modprobe tries echo as the last ditch file
expansion method, using popen.  There is no good reason to do that.

NOTE: if this exploit fails, it does not have to mean your modprobe is
secure; it might mean your system is equipped with, for example, old
/bin/ping utility, instead of new iputils software. You should be aware
that RedHat released some iputils updates, which apparently seems to
"accidentally" fix this particular way to exploit it. But this utility is
only an instrument used to exploit the bug. You can play with other setuid
programs, /bin/ping6, privledged services etc. Be creative.

The invoking program does not have to be setuid.  It has to pass its
parameters directly into the kernel, the kernel must be compiled with
kmod and kmod must pass the parameter directly to modprobe.

Well, two applications were upgraded and shipped in the manner which opens
really huge root compromise possibility. Well done, RedHat :)

This time you cannot blame on Redhat, the modprobe bug has been there
for quite a while.

Patch against modutils 2.3.19.

Index: 19.7/util/meta_expand.c
--- 19.7/util/meta_expand.c Sun, 10 Sep 2000 12:56:40 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644)
+++ 19.7(w)/util/meta_expand.c Mon, 13 Nov 2000 21:19:41 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644)
@@ -156,12 +156,8 @@ static int glob_it(char *pt, GLOB_LIST *
  */
 int meta_expand(char *pt, GLOB_LIST *g, char *base_dir, char *version)
 {
-       FILE *fin;
-       int len = 0;
-       char *line = NULL;
        char *p;
        char tmpline[PATH_MAX + 1];
-       char tmpcmd[PATH_MAX + 11];

        g->pathc = 0;
        g->pathv = NULL;
@@ -277,38 +273,6 @@ int meta_expand(char *pt, GLOB_LIST *g,
                /* Only "=" remaining, should be module options */
                split_line(g, pt, 0);
                return 0;
-       }
-
-       /*
-        * Last resort: Use "echo"
-        */
-       sprintf(tmpline, "%s%s", (base_dir ? base_dir : ""), pt);
-       sprintf(tmpcmd, "/bin/echo %s", tmpline);
-       if ((fin = popen(tmpcmd, "r")) == NULL) {
-               error("Can't execute: %s", tmpcmd);
-               return -1;
-       }
-       /* else */
-
-       /*
-        * Collect the result
-        */
-       while (fgets(tmpcmd, PATH_MAX, fin) != NULL) {
-               int l = strlen(tmpcmd);
-
-               line = (char *)xrealloc(line, len + l + 1);
-               line[len] = '\0';
-               strcat(line + len, tmpcmd);
-               len += l;
-       }
-       pclose(fin);
-
-       if (line) {
-               /* Ignore result if no expansion occurred */
-               strcat(tmpline, "\n");
-               if (strcmp(tmpline, line))
-                       split_line(g, line, 0);
-               free(line);
        }

        return 0;


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault