[lug] New root exploit for kernels prior to 2.4.12
John Hernandez
John.Hernandez at noaa.gov
Mon Oct 22 15:22:39 MDT 2001
FYI- newgrp is only an example of an SUID root binary which has the
potential to be used as a vehicle to exploit this kernel bug. You MAY
have been other such binaries on your system, depending on what
software has been installed.
Think of the kernel as homicidal and newgrp as a loaded gun. Take away
the gun, but beware of other objects that can be used as weapons.
In summary, the bug is in the kernel, not in newgrp. Restricting
newgrp is a good thing any MAY be satisfactory in the short term, but
it is probably insufficient as a longer term solution to the kernel
problem.
D. Stimits wrote:
> Greg Horne wrote:
>
>>One of the exploits, I can't remember which, relies on the file
>>/usr/bin/newgrp being world executable. I just took that permission away to
>>make the permissions 710. Does anybody know if that will work as a quick
>>fix for now?
>>
>
> Yes, it works. Only those who can execute newgrp while it is suid can
> run the exploit. Removing permission to execute it will remove the
> problem, as will removing the suid bit (but you might find suid is
> needed for anyone but root...make the group some group that only trusted
> individuals can access).
>
> D. Stimits, stimits at idcomm.com
>
>
>>Greg
>>
>>
>>>From: Nate Duehr <nate at natetech.com>
>>>Reply-To: lug at lug.boulder.co.us
>>>To: lug at lug.boulder.co.us
>>>Subject: Re: [lug] New root exploit for kernels prior to 2.4.12
>>>Date: Fri, 19 Oct 2001 17:05:07 -0600
>>>
>>>I haven't had a chance to read this yet, but is this a remote exploit
>>>(network-based) or a local exploit?
>>>
>>>On Fri, Oct 19, 2001 at 11:55:47AM -0600, Scott A. Herod wrote:
>>>
>>>>Security focus has a note about a root exploit against kernels prior to
>>>>2.4.12.
>>>>
>>>>
>>>>
>>>http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21
>>>
>>>>Since they've also put up an exploit, I'd guess that it's once again
>>>>time to upgrade
>>>>the kernel.
>>>>_______________________________________________
>>>>Web Page: http://lug.boulder.co.us
>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>
>>>--
>>>Nate Duehr <nate at natetech.com>
>>>
>>>GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
>>>Public Key available upon request, or at wwwkeys.pgp.net and others.
>>>_______________________________________________
>>>Web Page: http://lug.boulder.co.us
>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>
>>_________________________________________________________________
>>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>>
>>_______________________________________________
>>Web Page: http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
--
- John Hernandez - Network Engineer - 303-497-6392 -
| National Oceanic and Atmospheric Administration |
| Mailstop R/OM12. 325 Broadway, Boulder, CO 80305 |
----------------------------------------------------
More information about the LUG
mailing list