From the document on the sendmail.org site: There is a bug in the Linux kernel capability model for versions through 2.2.15 that allows local users to get root. Sendmail is one of the programs that can be attacked this way. This problem may occur in other capabilities-based kernels. The correct fix is to update your Linux kernel to version 2.2.16. This is the only way to ensure that other programs running on Linux cannot be attacked by this bug.
Created attachment 358 [details] Tests for existence of bug, mark executable as setuid and run as non-root to check
The attachment reports no vulnerability on my custom 2.2.14 kernel, but I'd like confirmation that I'm testing for the correct symptom.
A possible workaround may be to disable CAP_PSETCAP in the init scripts (echo 0xFFFFFEFF >/proc/sys/kernel/cap-bound). Looks like very few applications (compartement) are actually using this at the moment -- please correct me if I'm wrong.
I know this is a 6.2 bug, but I just tried the exploit under 6.0 with the kernel-2.2.5-15 package on two different systems and neither one showed up as being vulnerable. I wonder what versions of RedHat are affected by this...
The problem exists on both my 2.2.5-22 and 2.2.14-5.0 (6.0 and 6.2) systems.
That "test4setuidbug.c" program isn't an adequate test. You can give up setuid normally, that's not a problem. The problem is that if you give up a certain "capability" in the 2.2 kernel, *then* you can't give up setuid. And it's possible to give up this capability as a user. There is now an exploit program on bugtraq. Look at the previous bugtraq posting (also today) containing "blep.c" and "suidcap.c". This pair of programs, when used as indicated in that bugtraq posting, report a problem for redhat linux 6.0 as patched, kernel 2.2.5-22. And probably everything else which is 2.2.x as distributed by redhat. regards,
Anyone have any idea how long it's going to be before RedHat puts out an updated package? I hope they're working on this.... The files you refer to from bugtraq, I went to the www.securityfocus.com web site and I couldn't find the post with the better test programs. Perhaps the archiving is a little slow.
Here's the bugtraq entry: http://www.securityfocus.com/vdb/bottom.html?vid=1322 I changed the URL entry for this bug to the bugtraq URL.
A good vulnerability-testing program as posted to bugtraq today can be found at http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000608165624.A577@rajpur.iagora.es Do follow the full set of steps for testing it. Make "blep" setuid, but suidcap not. You run suidcap as a user, then it execs a shell and you run blep. His suidcap program removes the setuid capability, then runs a shell (which therefore lacks the setuid capability). The blep program when run in this context attempts to give up euid root and fails. This message was not on the bugtraq archive web page earlier and it is a bit too long to post directly. regards,
That workaround posted above DOES NOT work. When will RedHat address this security problem!?!?!? It has been out now for two days! What am I getting for the exorbitant amount charged for GPL software? It sure ain't a quick response, maybe it's the bumperstickers!
http://rufus.w3.org/linux/RPM/rawhide/1.0/i386/RedHat/RPMS/kernel-2.2.16-1.i386.html and associated RPMS has what you need to update without waiting for RedHat to test the stability of the new kernel.
The errata kernel has been released. The final errata kernel version is 2.2.16-3. We apologize for the amount of time it took to get this out.