Bug 11974 - setuid vulnerability in kernels prior to 2.2.16
setuid vulnerability in kernels prior to 2.2.16
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
6.2
All Linux
high Severity medium
: ---
: ---
Assigned To: Michael K. Johnson
http://www.securityfocus.com/vdb/bott...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-08 04:44 EDT by kenneth_porter
Modified: 2008-05-01 11:37 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-06-22 11:54:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Tests for existence of bug, mark executable as setuid and run as non-root to check (292 bytes, text/plain)
2000-06-08 05:25 EDT, kenneth_porter
no flags Details

  None (edit)
Description kenneth_porter 2000-06-08 04:44:28 EDT
From the document on the sendmail.org site:

There is a bug in the Linux kernel capability model for versions
through 2.2.15 that allows local users to get root.  Sendmail is
one of the programs that can be attacked this way.  This problem
may occur in other capabilities-based kernels.

The correct fix is to update your Linux kernel to version
2.2.16.  This is the only way to ensure that other programs
running on Linux cannot be attacked by this bug.
Comment 1 kenneth_porter 2000-06-08 05:25:18 EDT
Created attachment 358 [details]
Tests for existence of bug, mark executable as setuid and run as non-root to check
Comment 2 kenneth_porter 2000-06-08 05:27:13 EDT
The attachment reports no vulnerability on my custom 2.2.14 kernel, but I'd like 
confirmation that I'm testing for the correct symptom.
Comment 3 Jan Iven 2000-06-08 12:26:08 EDT
A possible workaround may be to disable CAP_PSETCAP in the init scripts
(echo 0xFFFFFEFF >/proc/sys/kernel/cap-bound).
Looks like very few applications (compartement) are actually using this at the
moment -- please correct me if I'm wrong.
Comment 4 douglas 2000-06-08 15:02:10 EDT
I know this is a 6.2 bug, but I just tried the exploit under 6.0 with the 
kernel-2.2.5-15 package on two different systems and neither one showed up as 
being vulnerable.  I wonder what versions of RedHat are affected by this...
Comment 5 dayv 2000-06-08 15:09:23 EDT
The problem exists on both my 2.2.5-22 and 2.2.14-5.0 (6.0 and 6.2) systems.
Comment 6 flaps 2000-06-08 15:47:11 EDT
That "test4setuidbug.c" program isn't an adequate test.  You can give up setuid
normally, that's not a problem.  The problem is that if you give up a certain
"capability" in the 2.2 kernel, *then* you can't give up setuid.  And it's
possible to give up this capability as a user.  There is now an exploit program
on bugtraq.

Look at the previous bugtraq posting (also today) containing "blep.c" and
"suidcap.c".  This pair of programs, when used as indicated in that bugtraq
posting, report a problem for redhat linux 6.0 as patched, kernel 2.2.5-22.  And
probably everything else which is 2.2.x as distributed by redhat.

regards,
Comment 7 douglas 2000-06-08 17:42:20 EDT
Anyone have any idea how long it's going to be before RedHat puts out an 
updated package?  I hope they're working on this....

The files you refer to from bugtraq, I went to the www.securityfocus.com web 
site and I couldn't find the post with the better test programs.  Perhaps the 
archiving is a little slow.
Comment 8 kenneth_porter 2000-06-08 20:20:01 EDT
Here's the bugtraq entry:

http://www.securityfocus.com/vdb/bottom.html?vid=1322

I changed the URL entry for this bug to the bugtraq URL.
Comment 9 flaps 2000-06-08 20:28:03 EDT
A good vulnerability-testing program as posted to bugtraq today can be found at
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000608165624.A577@rajpur.iagora.es

Do follow the full set of steps for testing it.  Make "blep" setuid, but
suidcap not.  You run suidcap as a user, then it execs a shell and you run blep.

His suidcap program removes the setuid capability, then runs a shell (which
therefore lacks the setuid capability).  The blep program when run in this
context attempts to give up euid root and fails.

This message was not on the bugtraq archive web page earlier and it is a bit too
long to post directly.

regards,
Comment 10 angrie00 2000-06-09 10:52:47 EDT
That workaround posted above DOES NOT work.  When will RedHat address this 
security problem!?!?!?  It has been out now for two days!  What am I getting 
for the exorbitant amount charged for GPL software?  It sure ain't a quick 
response, maybe it's the bumperstickers!
Comment 11 Jackie Meese 2000-06-19 21:35:12 EDT
http://rufus.w3.org/linux/RPM/rawhide/1.0/i386/RedHat/RPMS/kernel-2.2.16-1.i386.html
and associated RPMS has what you need to update without waiting for RedHat to
test the stability of the new kernel.
Comment 12 Doug Ledford 2000-06-22 11:54:47 EDT
The errata kernel has been released.  The final errata kernel version is
2.2.16-3.  We apologize for the amount of time it took to get this out.

Note You need to log in before you can comment on or make changes to this bug.