Home page logo

bugtraq logo Bugtraq mailing list archives

Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Olaf Kirch <okir () CALDERA DE>
Date: Mon, 13 Nov 2000 13:26:17 +0100

On Sun, Nov 12, 2000 at 10:46:53PM +0100, Michal Zalewski wrote:
This vulnerability has been found by Sebastian Krahmer some time ago (he
is posting an advisory right now).

This issue has been discussed as far back as 1996 or so on the
linux-security list, when the module requester du jour was called kerneld.

It should be noted that older Linux distributions using e.g.
modutils-2.1.121 (which I'm looking at) should be safe: before
modprobe will do _anything_ it checks the name of the requested
module against /lib/modules/modules.dep and fails if the module's
not listed. Getting "; chmod +w ." listed as a module should be
sort of tricky.

Of course, this still allowed you to load load e.g. the ISO9660 file
system driver doing "ifconfig iso9660" as an ordinary user.  But there
was some sort of consensus that this shouldn't be considered a problem
(if a module turns out to be buggy, remove it). One of those issues
that can be argued to death...

My main concern back then has been that all the protection against "bad"
module names was in modprobe, and all it took to turn this into a serious
hole was for someone to mess up modprobe (which they did now, apparently).

only an instrument used to exploit the bug. You can play with other setuid
programs, /bin/ping6, privledged services etc. Be creative.

Right. It should be noted that fixing the setuid case is probably not
enough because you may have privileged services do things that ultimately
trigger a kmod call.

A good fix IMHO (suggested by Torsten Duwe) is to make the _kernel_ check
the requested module to make sure that the name consists of alphanumerics,
dash and underscore exclusively. Oh yeah, and stop using system/popen
in system applications. What does it take to drive this point home?

Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]