RE: Flaws in recent Linux kernels

From: Demitrious Kelly (apokalyptik@apokalyptik.com)
Date: 10/18/01


From: "Demitrious Kelly" <apokalyptik@apokalyptik.com>
To: <bugtraq@securityfocus.com>
Subject: RE: Flaws in recent Linux kernels
Date: Thu, 18 Oct 2001 12:51:24 -0700
Message-ID: <APELIAMLLLIPEDGPHPHBGEIACDAA.apokalyptik@apokalyptik.com>

The description of the second problem is accurate, but I don't think the
assessment of the kernels which can or cannot be affected by this exploit
is... I'm using a newly compiled kernel Linux 2.4.12-grsec-1.8.3.

( Linux 2.4.12 with the Grsecurity Patch
http://www.grsecurity.net/features.htm )

# /* begin shell session */
[12:52:11][apokalyptik@home:~]: ./epcs_ptrace_attach_exploit
bug exploited successfully.
enjoy!
sh-2.05$
# /* end shell session */

 -- Demitrious S. Kelly

-----Original Message-----
From: Rafal Wojtczuk [mailto:nergal@7bulls.com]
Sent: Thursday, October 18, 2001 10:36 AM
To: bugtraq@securityfocus.com
Subject: Flaws in recent Linux kernels

II. Root compromise by ptrace(3)
        In order for this flaw to be exploitable, /usr/bin/newgrp must be
setuid root and world-executable. Additionally, newgrp, when run with no
arguments, should not prompt for password. This
conditions are satisfied in case of most popular Linux distributions (but
not Openwall GNU/*/Linux).
        Suppose the following flow of execution (initially, Process 1 and
Process 2 are unprivileged):
Time Process 1 Process 2
0 ptrace(PTRACE_ATTACH, pid of Process 2,...)
1 execve /usr/bin/newgrp
2 execve /any/thing/suid
3 execve default user shell
4 execve ./insert_shellcode

        The unexpected happens at moment 2. Process 2 is still traced,
execve
/any/thing/suid succeeds, and the setuid bit is honored ! This is so
because
1) the property of "having an ptrace-attached child" survives the execve
2) at moment 2, the tracer (process 1) has CAP_SYS_PTRACE set (well, has all
root privs), therefore it is allowed to trace even execve of setuid binary.
        In moment 3, newgrp executes a shell, which is an usual behavior.
This shell is still able to control the process 2 with ptrace. Therefore,
the
"./insert_shellcode" binary is able to insert arbitrary code into the
address
space of Process 2. Game over.

        2.4.12 kernel fixes both presented problems. The attached patches,
2.2.19-deep-symlink.patch and 2.2.19-ptrace.patch, both blessed by Linus,
can be used to close the vulnerability in 2.2.19. The (updated)
Openwall GNU/*/Linux kernel patches can be retrieved from
http://www.openwall.com/linux/
Note that the default Owl installation is not vulnerable to the ptrace bug
described.



Relevant Pages

  • Re: Free Linux Driver Development!
    ... Yes, that's right, the Linux kernel community is offering all companies ... free Linux driver development. ... potential gains from current toolchains and kernels, ... All we ask is that 1) SoC vendors authorize customers to do an NDA ...
    (Linux-Kernel)
  • Re: Giving up on Linux...
    ... The 2.6.x kernels are ready prime-time. ... Where are the fixes for the latest hardware? ... >> I have real problems seeing how Linux is going to make it to the desktop ... broken software and an uncaring despot on the throan. ...
    (Fedora)
  • Re: How long does Sun have to live? (OT RANT)
    ... The Linux kernel is GPLed; BSD ... The GPL encourages people to give changes back to ... >Linux to BSD kernels. ...
    (comp.unix.solaris)
  • Re: LSM conversion to static interface
    ... than that provided by their Linux distributor. ... nothing to say on "using vendor linux kernels". ... this change forces users who want to use a different LSM than ...
    (Linux-Kernel)
  • Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer
    ... The user-visible effect of this could be that a process taking many signals ... into the execve syscall, so it might happen to complete when now it would ... kernels, and better responsiveness to SIGKILL in all kernels). ... I think it would just clobber part of the mapping with the ...
    (Linux-Kernel)