Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Mon, 13 Nov 2000 12:44:34 +0100

On Mon, 13 Nov 2000, Keith Owens wrote:

The invoking program does not have to be setuid.  It has to pass its
parameters directly into the kernel, the kernel must be compiled with
kmod and kmod must pass the parameter directly to modprobe.

net/core/dev.c, line 348:

#ifdef CONFIG_KMOD

void dev_load(const char *name)
{
        if(!dev_get(name) && capable(CAP_SYS_MODULE))
                request_module(name);
}

/* ...snip... */

It has to run on privledged level (or have CAP_SYS_MODULE).

This time you cannot blame on Redhat, the modprobe bug has been there
for quite a while.

RedHat (and some other vendors) have not audited recently introduced
code. That's all I can say. Of course it's modutils bug.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]