Bug 11974
Summary: | setuid vulnerability in kernels prior to 2.2.16 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | kenneth_porter | ||||
Component: | kernel | Assignee: | Michael K. Johnson <johnsonm> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.2 | CC: | bugzilla.redhat2eran, djm, douglas, flaps, gedetil, jan.iven, mclaughj, schack | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.securityfocus.com/vdb/bottom.html?vid=1322 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2000-06-22 15:54:47 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
kenneth_porter
2000-06-08 08:44:28 UTC
Created attachment 358 [details]
Tests for existence of bug, mark executable as setuid and run as non-root to check
The attachment reports no vulnerability on my custom 2.2.14 kernel, but I'd like confirmation that I'm testing for the correct symptom. A possible workaround may be to disable CAP_PSETCAP in the init scripts (echo 0xFFFFFEFF >/proc/sys/kernel/cap-bound). Looks like very few applications (compartement) are actually using this at the moment -- please correct me if I'm wrong. I know this is a 6.2 bug, but I just tried the exploit under 6.0 with the kernel-2.2.5-15 package on two different systems and neither one showed up as being vulnerable. I wonder what versions of RedHat are affected by this... The problem exists on both my 2.2.5-22 and 2.2.14-5.0 (6.0 and 6.2) systems. That "test4setuidbug.c" program isn't an adequate test. You can give up setuid normally, that's not a problem. The problem is that if you give up a certain "capability" in the 2.2 kernel, *then* you can't give up setuid. And it's possible to give up this capability as a user. There is now an exploit program on bugtraq. Look at the previous bugtraq posting (also today) containing "blep.c" and "suidcap.c". This pair of programs, when used as indicated in that bugtraq posting, report a problem for redhat linux 6.0 as patched, kernel 2.2.5-22. And probably everything else which is 2.2.x as distributed by redhat. regards, Anyone have any idea how long it's going to be before RedHat puts out an updated package? I hope they're working on this.... The files you refer to from bugtraq, I went to the www.securityfocus.com web site and I couldn't find the post with the better test programs. Perhaps the archiving is a little slow. Here's the bugtraq entry: http://www.securityfocus.com/vdb/bottom.html?vid=1322 I changed the URL entry for this bug to the bugtraq URL. A good vulnerability-testing program as posted to bugtraq today can be found at http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000608165624.A577@rajpur.iagora.es Do follow the full set of steps for testing it. Make "blep" setuid, but suidcap not. You run suidcap as a user, then it execs a shell and you run blep. His suidcap program removes the setuid capability, then runs a shell (which therefore lacks the setuid capability). The blep program when run in this context attempts to give up euid root and fails. This message was not on the bugtraq archive web page earlier and it is a bit too long to post directly. regards, That workaround posted above DOES NOT work. When will RedHat address this security problem!?!?!? It has been out now for two days! What am I getting for the exorbitant amount charged for GPL software? It sure ain't a quick response, maybe it's the bumperstickers! http://rufus.w3.org/linux/RPM/rawhide/1.0/i386/RedHat/RPMS/kernel-2.2.16-1.i386.html and associated RPMS has what you need to update without waiting for RedHat to test the stability of the new kernel. The errata kernel has been released. The final errata kernel version is 2.2.16-3. We apologize for the amount of time it took to get this out. |