Bug 34594

Summary: ptrace/execve race condition still exists in kernel-2.2.17-14
Product: [Retired] Red Hat Linux Reporter: Need Real Name <kluka>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED CURRENTRELEASE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: abartlet, bishop, djschaap, jan.iven+rh, jarno.huuskonen, lionel.cons, milan.kerslager, pekkas, peter, plazonic, priyadi, valankar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/173119
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-04-17 07:43:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2001-04-03 23:45:32 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.19 i686)


Although kernel-2.2.17-14.src.rpm contains kernel-2.2.19-ptrace.patch,
exploit from the URL still works.

Reproducible: Always
Steps to Reproduce:
1. compile the program from URL
2. run it as an unprivileged user
3. if you did not get root shell, run the program again with a rarely used
suid program (e.g. /usr/bin/gpasswd) as the argument
	

Actual Results:  root shell

Expected Results:  Exploit fails and prints out an error message.
Comment 1 Jarno Huuskonen 2001-04-04 08:24:45 UTC 
Kernel-2.2.19 changelog shows a lot of security related updates. See
http://www.linux.org.uk/VERSION/relnotes.2219.html

Are you going to release an upgraded kernel errata ?
Comment 2 Peter Ajamian 2001-04-04 11:03:22 UTC 
Verified, the exploit works on RH 6.0 with kernel-2.2.16-3 (haven't gotten 2.2.17 in yet, but I imagine it'll work there also).  This really
 should be priority high, I quite easily got a root drop on my own system.  This is one any script-kiddie can exploit easily.

Snippet of output (note /usr/local/bin/cvspwd is a suid utility I wrote for the CVS passwd server, I wanted to see it it would truely work
with _any_ suid program):

$./epcs2 /usr/local/bin/cvspwd
bug exploited successfully.
enjoy!
bash#
Comment 3 Peter Ajamian 2001-04-05 23:52:33 UTC 
Hey, what's going on here?  Two days later and status is _still_ NEW.  This is a 
_serious_ security issue here.  Is anyone even looking into this bug?  Could 
someone at lest reply and say that you know it exists?
Comment 4 Arjan van de Ven 2001-04-05 23:57:57 UTC 
We know it exists. We're working on a fix, however this requires careful testing
as not all fixes work properly.
Comment 5 Need Real Name 2001-04-06 14:16:01 UTC 
Kernel 2.2.19 was said to fix this.  It does not?  Or may releasing of 2.2.19 cause some other problems?
Comment 6 Seth Vidal 2001-04-06 14:19:04 UTC 
There are A LOT of patches that red hat puts into their kernels. Additionally
2.2.19 brings some significant changes to MANY portions of the kernel (namely
nfs client and server and native usb) - there is a lot to test.
Comment 7 Pekka Savola 2001-04-07 22:03:47 UTC 
Personally, I'd also like to see:
 * ipv6
 * lm_sensors

stuff built in by default on RHL62 too (the same code base will be used with RHL7, 
where they're built in).  This would make a nice "put to bed" release for RHL62.

There shouldn't be problems with these as they're both built as modules.
Comment 8 Peter Ajamian 2001-04-10 22:56:51 UTC 
Tested with kernel 2.2.19:

$ ./epcs2 /usr/bin/passwd
ptrace: PTRACE_ATTACH: Operation not permitted
d0h! error!

Exploit doesn't work (a good thing).

Note that this is just the straight kernel without all the RedHat patches.  Also 
With a minimal selection of options enabled in the config.
Comment 9 Bishop Clark 2001-04-11 19:57:40 UTC 
Well, thankfully, the error's been PUBLISHED.  That's excellent, as I'd be upset if every 
skript kiddie in the world didn't know how to do this.  As an added bonus, my shell users
should get a good kick out of this... many of them read sites that grab SF's data.

http://www.securityfocus.com/advisories/3206
Comment 10 Milan Kerslager 2001-04-13 12:42:37 UTC 
*** Bug 34058 has been marked as a duplicate of this bug. ***
Comment 11 Milan Kerslager 2001-04-13 12:44:19 UTC 
As this exploit works on all kernels < 2.2.19 I would be glad if the fixed RPM
will be available as soon as possilbe...
Comment 12 Milan Kerslager 2001-04-17 07:43:21 UTC 
Huh, there was advisory 10 days ago:

http://www.redhat.com/support/errata/RHSA-2001-047.html
ftp://updates.redhat.com/7.0/en/os/i386/*

Also I'm unable to download kernel package with up2date even I upgraded all 
components (up2date too) to their latest version (by up2date). The error 
message I received from up2date is:

There was a fatal error communicating with the server.  The message was:

ERROR: File not found
INFO : Invalid RPM package requested: /var/up2date/packages/7.0/i386/kernel-
2.2.17-14.*.rpm

        An error has occured while processing your request. If this problem
        persists please submit a bug report to rhn-help.
        If you choose to submit the bug report, please be sure to include
        details of what were you trying to do when this error occured and
        details on how to reproduce this problem.

My system is Red Hat 7.0 and I have kernel-2.2.17-14 package on my system.
Comment 13 Milan Kerslager 2001-04-17 23:21:54 UTC 
up2date now works. Viola. Thanx.