[lug] New root exploit for kernels prior to 2.4.12

D. Stimits stimits at idcomm.com
Mon Oct 22 16:08:24 MDT 2001


John Hernandez wrote:
> 
> FYI- newgrp is only an example of an SUID root binary which has the
> potential to be used as a vehicle to exploit this kernel bug.  You MAY
> have been other such binaries on your system, depending on what
> software has been installed.
> 
> Think of the kernel as homicidal and newgrp as a loaded gun.  Take away
> the gun, but beware of other objects that can be used as weapons.
> 
> In summary, the bug is in the kernel, not in newgrp.  Restricting
> newgrp is a good thing any MAY be satisfactory in the short term, but
> it is probably insufficient as a longer term solution to the kernel
> problem.

Newer kernels fix it. In fact, it is this fix that is being denied
explanation in change logs because it would describe a security hole
under DMCA. So get a current kernel marked as having an unexplained
security fix.

D. Stimits, stimits at idcomm.com

> 
> D. Stimits wrote:
> 
> > Greg Horne wrote:
> >
> >>One of the exploits, I can't remember which, relies on the file
> >>/usr/bin/newgrp being world executable.  I just took that permission away to
> >>make the permissions 710.  Does anybody know if that will work as a quick
> >>fix for now?
> >>
> >
> > Yes, it works. Only those who can execute newgrp while it is suid can
> > run the exploit. Removing permission to execute it will remove the
> > problem, as will removing the suid bit (but you might find suid is
> > needed for anyone but root...make the group some group that only trusted
> > individuals can access).
> >
> > D. Stimits, stimits at idcomm.com
> >
> >
> >>Greg
> >>
> >>
> >>>From: Nate Duehr <nate at natetech.com>
> >>>Reply-To: lug at lug.boulder.co.us
> >>>To: lug at lug.boulder.co.us
> >>>Subject: Re: [lug] New root exploit for kernels prior to 2.4.12
> >>>Date: Fri, 19 Oct 2001 17:05:07 -0600
> >>>
> >>>I haven't had a chance to read this yet, but is this a remote exploit
> >>>(network-based) or a local exploit?
> >>>
> >>>On Fri, Oct 19, 2001 at 11:55:47AM -0600, Scott A. Herod wrote:
> >>>
> >>>>Security focus has a note about a root exploit against kernels prior to
> >>>>2.4.12.
> >>>>
> >>>>
> >>>>
> >>>http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21
> >>>
> >>>>Since they've also put up an exploit, I'd guess that it's once again
> >>>>time to upgrade
> >>>>the kernel.
> >>>>_______________________________________________
> >>>>Web Page:  http://lug.boulder.co.us
> >>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>
> >>>--
> >>>Nate Duehr <nate at natetech.com>
> >>>
> >>>GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
> >>>Public Key available upon request, or at wwwkeys.pgp.net and others.
> >>>_______________________________________________
> >>>Web Page:  http://lug.boulder.co.us
> >>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>
> >>_________________________________________________________________
> >>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> >>
> >>_______________________________________________
> >>Web Page:  http://lug.boulder.co.us
> >>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> 
> --
> 
>    - John Hernandez - Network Engineer - 303-497-6392 -
>   |  National Oceanic and Atmospheric Administration   |
>   |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
>    ----------------------------------------------------
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list