[lug] New root exploit for kernels prior to 2.4.12
D. Stimits
stimits at idcomm.com
Wed Oct 24 14:47:38 MDT 2001
Greg Horne wrote:
>
> Would this be a good start to finding binary's that might need different
> permissions?
>
> find / -perm -4000 -user root -print |more
My tcsh alias "fnsuid" is:
alias fnsuid 'find . -perm +4000 -name "\!*" -xdev -print'
So in general:
find / -perm +4000 -print
(that'd be for all suid, not just root)
D. Stimits, stimits at idcomm.com
>
> Greg
>
> >From: "John Hernandez" <John.Hernandez at noaa.gov>
> >Reply-To: lug at lug.boulder.co.us
> >To: lug at lug.boulder.co.us
> >Subject: Re: [lug] New root exploit for kernels prior to 2.4.12
> >Date: Mon, 22 Oct 2001 15:22:39 -0600
> >
> >FYI- newgrp is only an example of an SUID root binary which has the
> >potential to be used as a vehicle to exploit this kernel bug. You MAY
> >have been other such binaries on your system, depending on what
> >software has been installed.
> >
> >Think of the kernel as homicidal and newgrp as a loaded gun. Take away
> >the gun, but beware of other objects that can be used as weapons.
> >
> >In summary, the bug is in the kernel, not in newgrp. Restricting
> >newgrp is a good thing any MAY be satisfactory in the short term, but
> >it is probably insufficient as a longer term solution to the kernel
> >problem.
> >
> >D. Stimits wrote:
> >
> >>Greg Horne wrote:
> >>
> >>>One of the exploits, I can't remember which, relies on the file
> >>>/usr/bin/newgrp being world executable. I just took that permission away
> >>>to
> >>>make the permissions 710. Does anybody know if that will work as a quick
> >>>fix for now?
> >>>
> >>
> >>Yes, it works. Only those who can execute newgrp while it is suid can
> >>run the exploit. Removing permission to execute it will remove the
> >>problem, as will removing the suid bit (but you might find suid is
> >>needed for anyone but root...make the group some group that only trusted
> >>individuals can access).
> >>
> >>D. Stimits, stimits at idcomm.com
> >>
> >>
> >>>Greg
> >>>
> >>>
> >>>>From: Nate Duehr <nate at natetech.com>
> >>>>Reply-To: lug at lug.boulder.co.us
> >>>>To: lug at lug.boulder.co.us
> >>>>Subject: Re: [lug] New root exploit for kernels prior to 2.4.12
> >>>>Date: Fri, 19 Oct 2001 17:05:07 -0600
> >>>>
> >>>>I haven't had a chance to read this yet, but is this a remote exploit
> >>>>(network-based) or a local exploit?
> >>>>
> >>>>On Fri, Oct 19, 2001 at 11:55:47AM -0600, Scott A. Herod wrote:
> >>>>
> >>>>>Security focus has a note about a root exploit against kernels prior to
> >>>>>2.4.12.
> >>>>>
> >>>>>
> >>>>>
> >>>>http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21
> >>>>
> >>>>>Since they've also put up an exploit, I'd guess that it's once again
> >>>>>time to upgrade
> >>>>>the kernel.
> >>>>>_______________________________________________
> >>>>>Web Page: http://lug.boulder.co.us
> >>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>>
> >>>>--
> >>>>Nate Duehr <nate at natetech.com>
> >>>>
> >>>>GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
> >>>>Public Key available upon request, or at wwwkeys.pgp.net and others.
> >>>>_______________________________________________
> >>>>Web Page: http://lug.boulder.co.us
> >>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>
> >>>_________________________________________________________________
> >>>Get your FREE download of MSN Explorer at
> >>>http://explorer.msn.com/intl.asp
> >>>
> >>>_______________________________________________
> >>>Web Page: http://lug.boulder.co.us
> >>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>
> >>_______________________________________________
> >>Web Page: http://lug.boulder.co.us
> >>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>
> >
> >
> >--
> >
> > - John Hernandez - Network Engineer - 303-497-6392 -
> > | National Oceanic and Atmospheric Administration |
> > | Mailstop R/OM12. 325 Broadway, Boulder, CO 80305 |
> > ----------------------------------------------------
> >
> >_______________________________________________
> >Web Page: http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list