Bug 34594 - ptrace/execve race condition still exists in kernel-2.2.17-14
ptrace/execve race condition still exists in kernel-2.2.17-14
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brock Organ
: Security
: 34058 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2001-04-03 19:45 EDT by Need Real Name
Modified: 2014-01-21 17:48 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-04-17 03:43:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-04-03 19:45:32 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.19 i686)

Although kernel-2.2.17-14.src.rpm contains kernel-2.2.19-ptrace.patch,
exploit from the URL still works.

Reproducible: Always
Steps to Reproduce:
1. compile the program from URL
2. run it as an unprivileged user
3. if you did not get root shell, run the program again with a rarely used
suid program (e.g. /usr/bin/gpasswd) as the argument

Actual Results:  root shell

Expected Results:  Exploit fails and prints out an error message.
Comment 1 Jarno Huuskonen 2001-04-04 04:24:45 EDT
Kernel-2.2.19 changelog shows a lot of security related updates. See

Are you going to release an upgraded kernel errata ?

Comment 2 Peter Ajamian 2001-04-04 07:03:22 EDT
Verified, the exploit works on RH 6.0 with kernel-2.2.16-3 (haven't gotten 2.2.17 in yet, but I imagine it'll work there also).  This really
 should be priority high, I quite easily got a root drop on my own system.  This is one any script-kiddie can exploit easily.

Snippet of output (note /usr/local/bin/cvspwd is a suid utility I wrote for the CVS passwd server, I wanted to see it it would truely work
with _any_ suid program):

$./epcs2 /usr/local/bin/cvspwd
bug exploited successfully.
Comment 3 Peter Ajamian 2001-04-05 19:52:33 EDT
Hey, what's going on here?  Two days later and status is _still_ NEW.  This is a 
_serious_ security issue here.  Is anyone even looking into this bug?  Could 
someone at lest reply and say that you know it exists?
Comment 4 Arjan van de Ven 2001-04-05 19:57:57 EDT
We know it exists. We're working on a fix, however this requires careful testing
as not all fixes work properly.
Comment 5 Need Real Name 2001-04-06 10:16:01 EDT
Kernel 2.2.19 was said to fix this.  It does not?  Or may releasing of 2.2.19 cause some other problems?
Comment 6 Seth Vidal 2001-04-06 10:19:04 EDT
There are A LOT of patches that red hat puts into their kernels. Additionally
2.2.19 brings some significant changes to MANY portions of the kernel (namely
nfs client and server and native usb) - there is a lot to test.

Comment 7 Pekka Savola 2001-04-07 18:03:47 EDT
Personally, I'd also like to see:
 * ipv6
 * lm_sensors

stuff built in by default on RHL62 too (the same code base will be used with RHL7, 
where they're built in).  This would make a nice "put to bed" release for RHL62.

There shouldn't be problems with these as they're both built as modules.
Comment 8 Peter Ajamian 2001-04-10 18:56:51 EDT
Tested with kernel 2.2.19:

$ ./epcs2 /usr/bin/passwd
ptrace: PTRACE_ATTACH: Operation not permitted
d0h! error!

Exploit doesn't work (a good thing).

Note that this is just the straight kernel without all the RedHat patches.  Also 
With a minimal selection of options enabled in the config.
Comment 9 Bishop Clark 2001-04-11 15:57:40 EDT
Well, thankfully, the error's been PUBLISHED.  That's excellent, as I'd be upset if every 
skript kiddie in the world didn't know how to do this.  As an added bonus, my shell users
should get a good kick out of this... many of them read sites that grab SF's data.

Comment 10 Milan Kerslager 2001-04-13 08:42:37 EDT
*** Bug 34058 has been marked as a duplicate of this bug. ***
Comment 11 Milan Kerslager 2001-04-13 08:44:19 EDT
As this exploit works on all kernels < 2.2.19 I would be glad if the fixed RPM
will be available as soon as possilbe...
Comment 12 Milan Kerslager 2001-04-17 03:43:21 EDT
Huh, there was advisory 10 days ago:


Also I'm unable to download kernel package with up2date even I upgraded all 
components (up2date too) to their latest version (by up2date). The error 
message I received from up2date is:

There was a fatal error communicating with the server.  The message was:

ERROR: File not found
INFO : Invalid RPM package requested: /var/up2date/packages/7.0/i386/kernel-

        An error has occured while processing your request. If this problem
        persists please submit a bug report to rhn-help@redhat.com.
        If you choose to submit the bug report, please be sure to include
        details of what were you trying to do when this error occured and
        details on how to reproduce this problem.

My system is Red Hat 7.0 and I have kernel-2.2.17-14 package on my system.
Comment 13 Milan Kerslager 2001-04-17 19:21:54 EDT
up2date now works. Viola. Thanx.

Note You need to log in before you can comment on or make changes to this bug.