FYI, temprorary fix is to set /proc/sys/kernel/modprobe to something bogus. -- "Real men don't take backups. They put their source on a public FTP-server and let the world mirror it." -- Linus Torvalds
--- Begin Message ---
- To: bugtraq@securityfocus.com
- Subject: linux kmod/ptrace bug - details
- From: Andrzej Szombierski <qq@kuku.eu.org>
- Date: Wed, 19 Mar 2003 20:22:45 +0100 (CET)
- Message-id: <Pine.LNX.4.44L.0303192008160.30372-100000@kuku.eu.org>
Hello There are many discussions (on slashdot for example) on the recent linux ptrace (& kmod) bug. I'll try to clarify what is this all about. It's a local root vulnerability. It's exploitable only if: 1. the kernel is built with modules and kernel module loader enabled and 2. /proc/sys/kernel/modprobe contains the path to some valid executable and 3. ptrace() calls are not blocked These conditions are met on most standard linux distros. Ok now how it works: When a process requests a feature which is in a module, the kernel spawns a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe") The problem is that before the euid change the child process can be attached to with ptrace(). Game over, the user can insert any code into a process which will be run with the superuser privileges. Solutions/workarounds: - patch the kernel or - disable kmod/modules or - install a ptrace-blocking module or - set /proc/sys/kernel/modprobe to /any/bogus/file A word about 2.5. kernels - these are not vulnerable because the kernel thread spawning code has been rewritten so that the modprobe process is spawned from keventd, it never runs with non-root uid, so it can't be ptraced by any non-root user. Sample exploit here (ix86-only): http://august.v-lo.krakow.pl/~anszom/km3.c -- : Andrzej Szombierski : anszom@v-lo.krakow.pl : qq@kuku.eu.org : : anszom@bezkitu.com ::: radio bez kitu <=> http://bezkitu.com :
--- End Message ---
Attachment:
pgpQ4293AosC4.pgp
Description: PGP signature