[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] local root exploit in linux 2.4 kernel
- To: linux-security
- Subject: [linux-security] local root exploit in linux 2.4 kernel
- From: Martin Siegert <siegert@sfu.ca>
- Date: Thu, 3 Apr 2003 19:31:11 -0800
- User-Agent: Mutt/1.4i
Topic
=====
local root exploit in linux kernel
Problem Description
===================
he Linux kernel has a security flaw that is known as ptrace/modprobe bug:
The local attacker can use ptrace and attach to a modprobe process that is
spawned if the user triggers the loading of a kernel module using the kmod
kernel module subsystem. This can be done by asking for network protocols
that are supplied by kernel modules which are not loaded (yet). The
vulnerability allows the attacker to execute arbitrary commands as root.
Affected Versions
=================
All 2.4.x versions of the Linux kernel
Workaround
==========
There exists a temporary workaround against this flaw: It is possible
to temporaryly disable the kmod kernel module loading subsystem in the
kernel after all necessary kernel modules have been loaded. If the
temporary workaround is chosen, it should be made sure that no
additional kernel modules need to be loaded afterwards (such as ISDN
drivers, scsi subsystem drivers or filesystem drivers such as the
iso9660 filesystem for cdroms and the language codepages).
To disable the kmod kernel module loading subsystem, use the following
command as root:
echo /no/such_file > /proc/sys/kernel/modprobe
If this command is inserted into a boot script that runs after all
services in a runlevel have been launched, it is an efficient
permanent solution.
This workaround can be reverted by writing the original content
("/sbin/modprobe") back to the /proc/sys/kernel/modprobe file.
Please note that it is still possible for the root user to manually
load kernel modules.
Solution
========
upgrade to patched version of the 2.4 kernel for your distribution
Note, that check-rpms will not perform kernel updates (although it
will list vulnerable kernel packages). New kernel packages should
always be installed using
rpm -ivh <kernel package>
[the next version of check-rpms will support kernel installations].
RedHat 7.1, 7.2, 7.3
--------------------
rpm -Fvh kernel-source-2.4.18-27.7.x.i386.rpm \
kernel-doc-2.4.18-27.7.x.i386.rpm
rpm -ivh kernel<type>-2.4.18-27.7.x.<arch>.rpm
where <type> is either empty or -smp, -bigmem or -debug and <arch> is
i386, i586, or i686, or athlon.
RedHat 8.0
----------
rpm -Fvh kernel-source-2.4.18-27.8.0.i386.rpm \
kernel-doc-2.4.18-27.8.0.i386.rpm
rpm -ivh kernel<type>-2.4.18-27.8.0.<arch>.rpm
where <type> is either empty or -smp, -bigmem or -debug and <arch> is
i386, i586, or i686, or athlon.
RedHat 9
--------
not vulnerable.
Mandrake 9.0
------------
rpm -Fvh kernel-source-2.4.19-32mdk.i586.rpm
rpm -ivh kernel<type>-2.4.19.32mdk-1-1mdk.i586.rpm
where <type> is either empty or -smp, -secure, or -enterprise.
SuSE
----
please see http://www.suse.com/de/security/2003_21_kernel.html
for detailed installation instructions.
<type> in the following is one of
smp for SMP systems (Pentium-II and above)
psmp for Pentium-I dual processor systems
orig kernel built with unmodified sources
athlon for AMD Athlon family processors
i386 for older processors and chipsets
deflt default kernel, good for most systems
debug for kernel debugging purposes
rpm -qf /boot/vmlinuz will show you the correct kernel rpm type.
SuSE-7.x
--------
rpm -Fvh kernel-source-2.4.18.SuSE-150.i386.rpm
rpm -ivh k_<type>-2.4.18-<rel>.i386.rpm
where <rel>=244 for <type>=smp, 243 for psmp, 237 for i386, 262 for deflt
SuSE-8.0
--------
rpm -Fvh kernel-source-2.4.18.SuSE-149.i386.rpm
rpm -ivh k_<type>-2.4.18-<rel>.i386.rpm
where <rel>=243 for <type>=smp, 242 for psmp, 170 for orig, 236 for i386,
261 for deflt
SuSE-8.1
--------
rpm -Fvh kernel-source-2.4.19.SuSE-175.i586.rpm
rpm -ivh k_<type>-2.4.19-<rel>.i586.rpm
where <rel>=257 for <type>=smp, 263 for psmp, 274 for deflt, 213 for debug,
263 for athlon