Really nasty Linux security bug

troy fryman at sonic.net
Fri Oct 19 14:37:53 PDT 2001


On Fri, Oct 19, 2001 at 02:31:36PM -0700, E Frank Ball wrote:

> The ptrace problem is easily fixed.  Log in as root and:
> chmod u-s /usr/bin/newgrp       

Uhhhm, as i understand it the exploit requires a SUID binary.  newgrp is
just a convenient helper, not the source of the problem.

-t


> On Fri, Oct 19, 2001 at 11:53:58AM -0700, Dustin Mollo wrote:
> } Hey all.  For those that doin't read slashdot all that often, check out this
> } email over on SecurityFocus.
> } 
> } http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21
> } 
> } ObQuote:
> } 
> } There are two bugs present in Linux kernels 2.2.x, x<=19 and 2.4.y, y<=9.
> } The first vulnerability results in local DoS. The second one, involving
> } ptrace, can be used to gain root privileges locally (in case of default
> } install of most popular distributions). Linux 2.0.x is not vulnerable to the
> } ptrace bug mentioned.
> 
> The ptrace problem is easily fixed.  Log in as root and:
> chmod u-s /usr/bin/newgrp
> 
> II. Root compromise by ptrace(3)
>            In order for this flaw to be exploitable, /usr/bin/newgrp must be 
>    setuid root and world-executable. Additionally, newgrp, when run with no
>    arguments, should not prompt for password. This 
>    conditions are satisfied in case of most popular Linux distributions (but
>    not Openwall GNU/*/Linux)
> 
> -- 
> 
>    E Frank Ball                efball at efball.com



More information about the talk mailing list