[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] local root exploit in linux 2.4 kernel



Topic
=====
local root exploit in linux kernel

Problem Description
===================
he Linux kernel has a security flaw that is known as ptrace/modprobe bug:
The local attacker can use ptrace and attach to a modprobe process that is
spawned if the user triggers the loading of a kernel module using the kmod
kernel module subsystem. This can be done by asking for network protocols
that are supplied by kernel modules which are not loaded (yet). The
vulnerability allows the attacker to execute arbitrary commands as root.

Affected Versions
=================
All 2.4.x versions of the Linux kernel

Workaround
==========
There exists a temporary workaround against this flaw: It is possible
to temporaryly disable the kmod kernel module loading subsystem in the
kernel after all necessary kernel modules have been loaded. If the
temporary workaround is chosen, it should be made sure that no
additional kernel modules need to be loaded afterwards (such as ISDN
drivers, scsi subsystem drivers or filesystem drivers such as the
iso9660 filesystem for cdroms and the language codepages).
To disable the kmod kernel module loading subsystem, use the following
command as root:
  
      echo /no/such_file > /proc/sys/kernel/modprobe
  
If this command is inserted into a boot script that runs after all
services in a runlevel have been launched, it is an efficient
permanent solution.
This workaround can be reverted by writing the original content
("/sbin/modprobe") back to the /proc/sys/kernel/modprobe file.
Please note that it is still possible for the root user to manually
load kernel modules.

Solution
========
upgrade to patched version of the 2.4 kernel for your distribution
Note, that check-rpms will not perform kernel updates (although it
will list vulnerable kernel packages). New kernel packages should
always be installed using

rpm -ivh <kernel package>

[the next version of check-rpms will support kernel installations].

RedHat 7.1, 7.2, 7.3
--------------------
rpm -Fvh kernel-source-2.4.18-27.7.x.i386.rpm \
         kernel-doc-2.4.18-27.7.x.i386.rpm

rpm -ivh kernel<type>-2.4.18-27.7.x.<arch>.rpm

where <type> is either empty or -smp, -bigmem or -debug and <arch> is
i386, i586, or i686, or athlon.

RedHat 8.0
----------
rpm -Fvh kernel-source-2.4.18-27.8.0.i386.rpm \
         kernel-doc-2.4.18-27.8.0.i386.rpm

rpm -ivh kernel<type>-2.4.18-27.8.0.<arch>.rpm

where <type> is either empty or -smp, -bigmem or -debug and <arch> is
i386, i586, or i686, or athlon.

RedHat 9
--------
not vulnerable.

Mandrake 9.0
------------
rpm -Fvh kernel-source-2.4.19-32mdk.i586.rpm

rpm -ivh kernel<type>-2.4.19.32mdk-1-1mdk.i586.rpm

where <type> is either empty or -smp, -secure, or -enterprise.

SuSE
----
please see http://www.suse.com/de/security/2003_21_kernel.html
for detailed installation instructions.
<type> in the following is one of
smp     for SMP systems (Pentium-II and above)
psmp    for Pentium-I dual processor systems
orig    kernel built with unmodified sources
athlon  for AMD Athlon family processors
i386    for older processors and chipsets
deflt   default kernel, good for most systems
debug   for kernel debugging purposes

rpm -qf /boot/vmlinuz will show you the correct kernel rpm type.

SuSE-7.x
--------
rpm -Fvh kernel-source-2.4.18.SuSE-150.i386.rpm
rpm -ivh k_<type>-2.4.18-<rel>.i386.rpm

where <rel>=244 for <type>=smp, 243 for psmp, 237 for i386, 262 for deflt

SuSE-8.0
--------
rpm -Fvh kernel-source-2.4.18.SuSE-149.i386.rpm
rpm -ivh k_<type>-2.4.18-<rel>.i386.rpm

where <rel>=243 for <type>=smp, 242 for psmp, 170 for orig, 236 for i386,
261 for deflt

SuSE-8.1
--------
rpm -Fvh kernel-source-2.4.19.SuSE-175.i586.rpm
rpm -ivh k_<type>-2.4.19-<rel>.i586.rpm

where <rel>=257 for <type>=smp, 263 for psmp, 274 for deflt, 213 for debug,
263 for athlon