[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] local root exploit in linux kernel
- To: linux-security
- Subject: [linux-security] local root exploit in linux kernel
- From: Martin Siegert <siegert@sfu.ca>
- Date: Mon, 19 Feb 2001 16:38:19 -0800
- User-Agent: Mutt/1.2i
Topic
=====
Security holes in Linux kernel may lead to local root exploit.
Problem description
===================
There are security holes in all Linux kernels (v2.2 and 2.4) that involve
ptrace and sysctl. These holes may be exploited locally to gain root
access (they do not provide a hole to remote attackers without a local
account). At the time of this writing no active exploit is known yet.
Another security hole is a DOS (Denial Of Service) that does not provide
access to the root account but does allow any user with shell access the
ability to halt the CPU.
All users are strongly recommended to upgrade.
Affected Systems
================
All Linux systems with kernel versions 2.2.x and 2.4.x.
Solution
========
Upgrade to a patched kernel (e.g., linux-2.4.1 with Alan Cox's
patch-2.4.1-ac19; see below).
Only RedHat and Calder have released a patched kernel binaries for now.
RedHat 6.x
----------
The procedure for upgrading the kernel is documented at:
http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html
Read the directions for your architecture carefully before proceeding with
the kernel upgrade.
rpm -Fvh kernel-source-2.2.17-14.i386.rpm \
kernel-doc-2.2.17-14.i386.rpm \
kernel-utils-2.2.17-14.i386.rpm \
kernel-ibcs-2.2.17-14.i386.rpm \
kernel-headers-2.2.16-3.i386.rpm
Then find out which type of kernel you are running:
rpm -q kernel
rpm -q kernel-smp
rpm -q kernel-pcmcia-cs
rpm -q kernel-BOOT
Upgrade only those packages for which you do not receive the response
"package XXX is not installed" using one of the following commands
(I recommend to use the -i option, i.e., not to remove the old kernel so
that you can still boot the old kernel, if something goes wrong).
i386:
rpm -ivh kernel-2.2.17-14.i386.rpm
rpm -ivh kernel-smp-2.2.17-14.i386.rpm
rpm -ivh kernel-BOOT-2.2.17-14.i386.rpm
rpm -ivh kernel-pcmcia-cs-2.2.17-14.i386.rpm
i586
rpm -ivh kernel-2.2.17-14.i586.rpm
rpm -ivh kernel-smp-2.2.17-14.i586.rpm
i686
rpm -ivh kernel-2.2.17-14.i686.rpm
rpm -ivh kernel-smp-2.2.17-14.i686.rpm
After installing the kernel you must edit /etc/lilo.conf, run /sbin/lilo
and reboot.
RedHat 7.0
----------
Follow the instructions outlined under the 6.x section.
Only the corresponding rpm commands are listed below.
rpm -Fvh kernel-source-2.2.17-14.i386.rpm \
kernel-doc-2.2.17-14.i386.rpm \
kernel-utils-2.2.17-14.i386.rpm \
kernel-ibcs-2.2.17-14.i386.rpm
i386
rpm -ivh kernel-2.2.17-14.i386.rpm
rpm -ivh kernel-smp-2.2.17-14.i386.rpm
rpm -ivh kernel-BOOT-2.2.17-14.i386.rpm
rpm -ivh kernel-pcmcia-cs-2.2.17-14.i386.rpm
i586
rpm -ivh kernel-2.2.17-14.i586.rpm
rpm -ivh kernel-smp-2.2.17-14.i586.rpm
i686
rpm -ivh kernel-2.2.17-14.i686.rpm
rpm -ivh kernel-smp-2.2.17-14.i686.rpm
Caldera Openlinux 2.3
---------------------
The update procedure is similar to that described under RedHat 6.x.
rpm -Fvh linux-kernel-doc-2.2.10-11.i386.rpm \
linux-kernel-include-2.2.10-11.i386.rpm \
linux-source-i386-2.2.10-11.i386.rpm \
linux-kernel-binary-2.2.10-11.i386.rpm \
pcmcia-cs-3.0.14-2.i386.rpm
Caldera Openlinux eDesktop 2.4
------------------------------
rpm -Fvh hwprobe-20000214-3.i386.rpm \
iBCS-2.1-9.i386.rpm \
iBCS-extras-2.1-9.i386.rpm \
iBCS-module-2.1_2.2.14-9.i386.rpm \
linux-kernel-binary-2.2.14-6.i386.rpm \
linux-kernel-doc-2.2.14-6.i386.rpm \
linux-kernel-include-2.2.14-6.i386.rpm \
linux-source-i386-2.2.14-6.i386.rpm \
pcmcia-cs-3.1.8-2.i386.rpm
All other systems
-----------------
If you do not want/can install the RedHat RPMS, you can alternatively
compile the kernel from source.
!! Warning attempt this only, if you can test this on a non-production
!! machine first and if you have lots of time and if you can risk that
!! your box doesn't boot anymore (it also helps to have done this at least
!! once before :-).
Since there are (to my knowledge) no new kernels released yet that are not
affected by these bugs, you have to patch the kernel yourself.
For the 2.2 kernel get:
linux-2.2.18.tar.bz2 (e.g., from http://www.kernel.org/pub/linux/kernel/v2.2)
and
pre-patch-2.2.19-13.gz
(http://www.kernel.org/pub/linux/kernel/people/alan/2.2.19pre)
For the 2.4.kernel get:
linux-2.4.1.tar.bz2 (from http://www.kernel.org/pub/linux/kernel/v2.4)
and
patch-2.4.1-ac19.bz2 (http://www.kernel.org/pub/linux/kernel/people/alan/2.4)
You can easily check whether your kernel source is patched:
the following lines appear in kernel/sysctl.c:
int sysctl_string(ctl_table *table, int *name, int nlen,
void *oldval, size_t *oldlenp,
void *newval, size_t newlen, void **context)
{
int l, len;
if (!table->data || !table->maxlen)
return -ENOTDIR;
The critical line is "int l, len;": if this says "int l, len;" (as shown
above) your kernel source is not patched.