Red Hat Bugzilla – Bug 11974
setuid vulnerability in kernels prior to 2.2.16
Last modified: 2008-05-01 11:37:55 EDT
From the document on the sendmail.org site:
There is a bug in the Linux kernel capability model for versions
through 2.2.15 that allows local users to get root. Sendmail is
one of the programs that can be attacked this way. This problem
may occur in other capabilities-based kernels.
The correct fix is to update your Linux kernel to version
2.2.16. This is the only way to ensure that other programs
running on Linux cannot be attacked by this bug.
Created attachment 358 [details]
Tests for existence of bug, mark executable as setuid and run as non-root to check
The attachment reports no vulnerability on my custom 2.2.14 kernel, but I'd like
confirmation that I'm testing for the correct symptom.
A possible workaround may be to disable CAP_PSETCAP in the init scripts
(echo 0xFFFFFEFF >/proc/sys/kernel/cap-bound).
Looks like very few applications (compartement) are actually using this at the
moment -- please correct me if I'm wrong.
I know this is a 6.2 bug, but I just tried the exploit under 6.0 with the
kernel-2.2.5-15 package on two different systems and neither one showed up as
being vulnerable. I wonder what versions of RedHat are affected by this...
The problem exists on both my 2.2.5-22 and 2.2.14-5.0 (6.0 and 6.2) systems.
That "test4setuidbug.c" program isn't an adequate test. You can give up setuid
normally, that's not a problem. The problem is that if you give up a certain
"capability" in the 2.2 kernel, *then* you can't give up setuid. And it's
possible to give up this capability as a user. There is now an exploit program
Look at the previous bugtraq posting (also today) containing "blep.c" and
"suidcap.c". This pair of programs, when used as indicated in that bugtraq
posting, report a problem for redhat linux 6.0 as patched, kernel 2.2.5-22. And
probably everything else which is 2.2.x as distributed by redhat.
Anyone have any idea how long it's going to be before RedHat puts out an
updated package? I hope they're working on this....
The files you refer to from bugtraq, I went to the www.securityfocus.com web
site and I couldn't find the post with the better test programs. Perhaps the
archiving is a little slow.
Here's the bugtraq entry:
I changed the URL entry for this bug to the bugtraq URL.
A good vulnerability-testing program as posted to bugtraq today can be found at
Do follow the full set of steps for testing it. Make "blep" setuid, but
suidcap not. You run suidcap as a user, then it execs a shell and you run blep.
His suidcap program removes the setuid capability, then runs a shell (which
therefore lacks the setuid capability). The blep program when run in this
context attempts to give up euid root and fails.
This message was not on the bugtraq archive web page earlier and it is a bit too
long to post directly.
That workaround posted above DOES NOT work. When will RedHat address this
security problem!?!?!? It has been out now for two days! What am I getting
for the exorbitant amount charged for GPL software? It sure ain't a quick
response, maybe it's the bumperstickers!
and associated RPMS has what you need to update without waiting for RedHat to
test the stability of the new kernel.
The errata kernel has been released. The final errata kernel version is
2.2.16-3. We apologize for the amount of time it took to get this out.