Red Hat Bugzilla – Bug 34594
ptrace/execve race condition still exists in kernel-2.2.17-14
Last modified: 2014-01-21 17:48:01 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.19 i686)
Although kernel-2.2.17-14.src.rpm contains kernel-2.2.19-ptrace.patch,
exploit from the URL still works.
Steps to Reproduce:
1. compile the program from URL
2. run it as an unprivileged user
3. if you did not get root shell, run the program again with a rarely used
suid program (e.g. /usr/bin/gpasswd) as the argument
Actual Results: root shell
Expected Results: Exploit fails and prints out an error message.
Kernel-2.2.19 changelog shows a lot of security related updates. See
Are you going to release an upgraded kernel errata ?
Verified, the exploit works on RH 6.0 with kernel-2.2.16-3 (haven't gotten 2.2.17 in yet, but I imagine it'll work there also). This really
should be priority high, I quite easily got a root drop on my own system. This is one any script-kiddie can exploit easily.
Snippet of output (note /usr/local/bin/cvspwd is a suid utility I wrote for the CVS passwd server, I wanted to see it it would truely work
with _any_ suid program):
bug exploited successfully.
Hey, what's going on here? Two days later and status is _still_ NEW. This is a
_serious_ security issue here. Is anyone even looking into this bug? Could
someone at lest reply and say that you know it exists?
We know it exists. We're working on a fix, however this requires careful testing
as not all fixes work properly.
Kernel 2.2.19 was said to fix this. It does not? Or may releasing of 2.2.19 cause some other problems?
There are A LOT of patches that red hat puts into their kernels. Additionally
2.2.19 brings some significant changes to MANY portions of the kernel (namely
nfs client and server and native usb) - there is a lot to test.
Personally, I'd also like to see:
stuff built in by default on RHL62 too (the same code base will be used with RHL7,
where they're built in). This would make a nice "put to bed" release for RHL62.
There shouldn't be problems with these as they're both built as modules.
Tested with kernel 2.2.19:
$ ./epcs2 /usr/bin/passwd
ptrace: PTRACE_ATTACH: Operation not permitted
Exploit doesn't work (a good thing).
Note that this is just the straight kernel without all the RedHat patches. Also
With a minimal selection of options enabled in the config.
Well, thankfully, the error's been PUBLISHED. That's excellent, as I'd be upset if every
skript kiddie in the world didn't know how to do this. As an added bonus, my shell users
should get a good kick out of this... many of them read sites that grab SF's data.
*** Bug 34058 has been marked as a duplicate of this bug. ***
As this exploit works on all kernels < 2.2.19 I would be glad if the fixed RPM
will be available as soon as possilbe...
Huh, there was advisory 10 days ago:
Also I'm unable to download kernel package with up2date even I upgraded all
components (up2date too) to their latest version (by up2date). The error
message I received from up2date is:
There was a fatal error communicating with the server. The message was:
ERROR: File not found
INFO : Invalid RPM package requested: /var/up2date/packages/7.0/i386/kernel-
An error has occured while processing your request. If this problem
persists please submit a bug report to email@example.com.
If you choose to submit the bug report, please be sure to include
details of what were you trying to do when this error occured and
details on how to reproduce this problem.
My system is Red Hat 7.0 and I have kernel-2.2.17-14 package on my system.
up2date now works. Viola. Thanx.