[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] local root exploit in Linux kernel

To: linux-security
Subject: [linux-security] local root exploit in Linux kernel
From: Martin Siegert <siegert@sfu.ca>
Date: Mon, 2 Apr 2001 19:00:47 -0700
User-Agent: Mutt/1.2.5i

Topic
=====
local root exploit in Linux kernel.

Problem Description
===================
There is a race condition involving ptrace/execve in Linux 2.2.x kernels
that can be exploited to gain root. This is a local exploit, i.e., an
account on the system is necessary for the exploit to succeed.
Nevertheless, the exploit is absolutely trivial: the source of the exploit
has been published and it is trivial to compile and run.
I myself have successfully tested the exploit on RedHat 6.2 and 7.0
with kernel versions 2.2.16-22 and 2.2.17-14.

Affected Systems
================
All Linux versions with kernels 2.2.x and x < 19
(i.e., also the recently release RedHat 2.2.17 kernel is vulnerable).
The picture is unclear for kernel versions 2.4.x: the published exploit
does not work on 2.4.2 (I have tested this), however, there are indications
that the exploit can be rewritten so that it also would work on 2.4.x with
x < 3.

Solution
========
Upgrade to kernel version 2.2.19 or 2.4.3.

Remarks
=======
I have not seen any new kernel release from vendors (RedHat, Debian, Caldera,
etc.) although the exploit is public since March 27. Hence, there are no
rpms, debs, etc. available yet. Therefore, if you want to upgrade you must
compile the kernel yourself.
Several issues should be taken into account:
1) Compiling the kernel is a nontrivial task, especially if you have not done
   this before.
2) Since this is "only" a local exploit you may choose to wait with upgrading
   the kernel until a new kernel is released for your distribution, if all
   of the following is true:
   a) you can trust your users not to exploit the system.
   b) your users use their passwords in a responsible manner so that 
      passwords for any account do no "leak" to anybody else.
   c) your passwords cannot be sniffed on the internet. This requires the
      use of ssh and scp by all users. Telnet and ftp must not be used.
3) Even if you are the only user on your system and you choose not to
   upgrade until compiled versions of the new kernel are released (i.e.,
   rpms and debs) you must make sure that passwords cannot be sniffed
   (use ssh/scp).

[If you asked me for my personal opinion: running a system with a root
 exploit that can be that easily exploited is scary.]

Further Information
===================
I will inform you on this list as soon as RedHat, Debian, Caldera, etc.
release their new compiled kernel versions.

Follow-Ups:
- Re: [linux-security] local root exploit in Linux kernel (mandrake)
  - From: Martin Siegert <siegert@sfu.ca>
- Re: [linux-security] local root exploit in Linux kernel (redhat, debian)
  - From: Martin Siegert <siegert@sfu.ca>
- Re: [linux-security] local root exploit in Linux kernel (Caldera)
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: [linux-security] Re: linux worm
Next by Date: [linux-security] RedWorm warning
Prev by thread: [linux-security] local root exploit in linux kernel
Next by thread: Re: [linux-security] local root exploit in Linux kernel (Caldera)
Index(es):
- Date
- Thread