Bug 11974 - setuid vulnerability in kernels prior to 2.2.16
Summary: setuid vulnerability in kernels prior to 2.2.16
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel   
(Show other bugs)
Version: 6.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Michael K. Johnson
QA Contact:
URL: http://www.securityfocus.com/vdb/bott...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-06-08 08:44 UTC by kenneth_porter
Modified: 2008-05-01 15:37 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-06-22 15:54:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Tests for existence of bug, mark executable as setuid and run as non-root to check (292 bytes, text/plain)
2000-06-08 09:25 UTC, kenneth_porter
no flags Details

Description kenneth_porter 2000-06-08 08:44:28 UTC
From the document on the sendmail.org site:

There is a bug in the Linux kernel capability model for versions
through 2.2.15 that allows local users to get root.  Sendmail is
one of the programs that can be attacked this way.  This problem
may occur in other capabilities-based kernels.

The correct fix is to update your Linux kernel to version
2.2.16.  This is the only way to ensure that other programs
running on Linux cannot be attacked by this bug.

Comment 1 kenneth_porter 2000-06-08 09:25:18 UTC
Created attachment 358 [details]
Tests for existence of bug, mark executable as setuid and run as non-root to check

Comment 2 kenneth_porter 2000-06-08 09:27:13 UTC
The attachment reports no vulnerability on my custom 2.2.14 kernel, but I'd like 
confirmation that I'm testing for the correct symptom.

Comment 3 Jan Iven 2000-06-08 16:26:08 UTC
A possible workaround may be to disable CAP_PSETCAP in the init scripts
(echo 0xFFFFFEFF >/proc/sys/kernel/cap-bound).
Looks like very few applications (compartement) are actually using this at the
moment -- please correct me if I'm wrong.

Comment 4 douglas 2000-06-08 19:02:10 UTC
I know this is a 6.2 bug, but I just tried the exploit under 6.0 with the 
kernel-2.2.5-15 package on two different systems and neither one showed up as 
being vulnerable.  I wonder what versions of RedHat are affected by this...

Comment 5 dayv 2000-06-08 19:09:23 UTC
The problem exists on both my 2.2.5-22 and 2.2.14-5.0 (6.0 and 6.2) systems.

Comment 6 flaps 2000-06-08 19:47:11 UTC
That "test4setuidbug.c" program isn't an adequate test.  You can give up setuid
normally, that's not a problem.  The problem is that if you give up a certain
"capability" in the 2.2 kernel, *then* you can't give up setuid.  And it's
possible to give up this capability as a user.  There is now an exploit program
on bugtraq.

Look at the previous bugtraq posting (also today) containing "blep.c" and
"suidcap.c".  This pair of programs, when used as indicated in that bugtraq
posting, report a problem for redhat linux 6.0 as patched, kernel 2.2.5-22.  And
probably everything else which is 2.2.x as distributed by redhat.


Comment 7 douglas 2000-06-08 21:42:20 UTC
Anyone have any idea how long it's going to be before RedHat puts out an 
updated package?  I hope they're working on this....

The files you refer to from bugtraq, I went to the www.securityfocus.com web 
site and I couldn't find the post with the better test programs.  Perhaps the 
archiving is a little slow.

Comment 8 kenneth_porter 2000-06-09 00:20:01 UTC
Here's the bugtraq entry:


I changed the URL entry for this bug to the bugtraq URL.

Comment 9 flaps 2000-06-09 00:28:03 UTC
A good vulnerability-testing program as posted to bugtraq today can be found at

Do follow the full set of steps for testing it.  Make "blep" setuid, but
suidcap not.  You run suidcap as a user, then it execs a shell and you run blep.

His suidcap program removes the setuid capability, then runs a shell (which
therefore lacks the setuid capability).  The blep program when run in this
context attempts to give up euid root and fails.

This message was not on the bugtraq archive web page earlier and it is a bit too
long to post directly.


Comment 10 angrie00 2000-06-09 14:52:47 UTC
That workaround posted above DOES NOT work.  When will RedHat address this 
security problem!?!?!?  It has been out now for two days!  What am I getting 
for the exorbitant amount charged for GPL software?  It sure ain't a quick 
response, maybe it's the bumperstickers!

Comment 11 Jackie Meese 2000-06-20 01:35:12 UTC
and associated RPMS has what you need to update without waiting for RedHat to
test the stability of the new kernel.

Comment 12 Doug Ledford 2000-06-22 15:54:47 UTC
The errata kernel has been released.  The final errata kernel version is
2.2.16-3.  We apologize for the amount of time it took to get this out.

Note You need to log in before you can comment on or make changes to this bug.