Bug 11998 - Local root vulnerability in the kernel capabilities feature
Local root vulnerability in the kernel capabilities feature
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
6.2
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Michael K. Johnson
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-08 18:17 EDT by Joe
Modified: 2008-05-01 11:37 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-06-22 14:17:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe 2000-06-08 18:17:37 EDT
---------- Forwarded message ----------
Date: Thu, 8 Jun 2000 11:30:15 +0200
Subject: Re: local root on linux 2.2.15
From: Rogier Wolff <R.E.Wolff@BITWIZARD.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Wojciech Purczynski (wp@elzabsoft.pl) found this and wrote a
proof-of-concept exploit. He discussed this with the appropriate
people to make sure fixes were available before he would release
the exploit and the story.
In the mean while, hints about this have leaked, and it seems someone
put all the hints together, and found out what was going on. By now a
fix is available for the Linux kernel, and the workaround in sendmail.

Peter van Dijk wrote:
> I do not have complete info right now, but here's the scoop:
> Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some
> earliePeter van Dijk wrote:
> I do not have complete info right now, but here's the scoop:
> Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some
> earlier versions. This is fixed in 2.2.16pre6. Linux 2.0.x is not
> vulnerable, I do not know of any other vulnerable OSes.

From: Roger Espel Llima <espel@IAGORA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Here's some code to test whether giving up root works:
------- blep.c
#include <stdio.h>
#include <unistd.h>
int main(void)
{
        if (geteuid()) {
          printf("Run me as root please\n");
          exit(1);
        }
        printf("BEFORE: %d %d\n", getuid(), geteuid());
        setuid(getuid());
        printf("GAVE UP: %d %d\n", getuid(), geteuid());
        setuid(0);
        printf("GOT BACK: %d %d\n", getuid(), geteuid());
        if (!geteuid() || !getuid()) printf("PROBLEM!!\n");
        return 0;
}
Roger Espel Llima <espel@IAGORA.NET>
for the code to disable the CAP_SETUID capability.
I don't want to post it here.
Comment 2 Michael K. Johnson 2000-07-31 17:29:11 EDT
http://www.redhat.com/support/errata/RHSA-2000-037-05.html

Note You need to log in before you can comment on or make changes to this bug.