Red Hat Bugzilla – Bug 34594
ptrace/execve race condition still exists in kernel-2.2.17-14
Last modified: 2014-01-21 17:48:01 EST
From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.19 i686) Although kernel-2.2.17-14.src.rpm contains kernel-2.2.19-ptrace.patch, exploit from the URL still works. Reproducible: Always Steps to Reproduce: 1. compile the program from URL 2. run it as an unprivileged user 3. if you did not get root shell, run the program again with a rarely used suid program (e.g. /usr/bin/gpasswd) as the argument Actual Results: root shell Expected Results: Exploit fails and prints out an error message.
Kernel-2.2.19 changelog shows a lot of security related updates. See http://www.linux.org.uk/VERSION/relnotes.2219.html Are you going to release an upgraded kernel errata ?
Verified, the exploit works on RH 6.0 with kernel-2.2.16-3 (haven't gotten 2.2.17 in yet, but I imagine it'll work there also). This really should be priority high, I quite easily got a root drop on my own system. This is one any script-kiddie can exploit easily. Snippet of output (note /usr/local/bin/cvspwd is a suid utility I wrote for the CVS passwd server, I wanted to see it it would truely work with _any_ suid program): $./epcs2 /usr/local/bin/cvspwd bug exploited successfully. enjoy! bash#
Hey, what's going on here? Two days later and status is _still_ NEW. This is a _serious_ security issue here. Is anyone even looking into this bug? Could someone at lest reply and say that you know it exists?
We know it exists. We're working on a fix, however this requires careful testing as not all fixes work properly.
Kernel 2.2.19 was said to fix this. It does not? Or may releasing of 2.2.19 cause some other problems?
There are A LOT of patches that red hat puts into their kernels. Additionally 2.2.19 brings some significant changes to MANY portions of the kernel (namely nfs client and server and native usb) - there is a lot to test.
Personally, I'd also like to see: * ipv6 * lm_sensors stuff built in by default on RHL62 too (the same code base will be used with RHL7, where they're built in). This would make a nice "put to bed" release for RHL62. There shouldn't be problems with these as they're both built as modules.
Tested with kernel 2.2.19: $ ./epcs2 /usr/bin/passwd ptrace: PTRACE_ATTACH: Operation not permitted d0h! error! Exploit doesn't work (a good thing). Note that this is just the straight kernel without all the RedHat patches. Also With a minimal selection of options enabled in the config.
Well, thankfully, the error's been PUBLISHED. That's excellent, as I'd be upset if every skript kiddie in the world didn't know how to do this. As an added bonus, my shell users should get a good kick out of this... many of them read sites that grab SF's data. http://www.securityfocus.com/advisories/3206
*** Bug 34058 has been marked as a duplicate of this bug. ***
As this exploit works on all kernels < 2.2.19 I would be glad if the fixed RPM will be available as soon as possilbe...
Huh, there was advisory 10 days ago: http://www.redhat.com/support/errata/RHSA-2001-047.html ftp://updates.redhat.com/7.0/en/os/i386/* Also I'm unable to download kernel package with up2date even I upgraded all components (up2date too) to their latest version (by up2date). The error message I received from up2date is: There was a fatal error communicating with the server. The message was: ERROR: File not found INFO : Invalid RPM package requested: /var/up2date/packages/7.0/i386/kernel- 2.2.17-14.*.rpm An error has occured while processing your request. If this problem persists please submit a bug report to rhn-help@redhat.com. If you choose to submit the bug report, please be sure to include details of what were you trying to do when this error occured and details on how to reproduce this problem. My system is Red Hat 7.0 and I have kernel-2.2.17-14 package on my system.
up2date now works. Viola. Thanx.