[lug] New root exploit for kernels prior to 2.4.12

Greg Horne jeerygh at hotmail.com
Wed Oct 24 13:32:41 MDT 2001


Would this be a good start to finding binary's that might need different 
permissions?

find / -perm -4000 -user root -print |more

Greg

>From: "John Hernandez" <John.Hernandez at noaa.gov>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] New root exploit for kernels prior to 2.4.12
>Date: Mon, 22 Oct 2001 15:22:39 -0600
>
>FYI- newgrp is only an example of an SUID root binary which has the
>potential to be used as a vehicle to exploit this kernel bug.  You MAY
>have been other such binaries on your system, depending on what
>software has been installed.
>
>Think of the kernel as homicidal and newgrp as a loaded gun.  Take away
>the gun, but beware of other objects that can be used as weapons.
>
>In summary, the bug is in the kernel, not in newgrp.  Restricting
>newgrp is a good thing any MAY be satisfactory in the short term, but
>it is probably insufficient as a longer term solution to the kernel
>problem.
>
>D. Stimits wrote:
>
>>Greg Horne wrote:
>>
>>>One of the exploits, I can't remember which, relies on the file
>>>/usr/bin/newgrp being world executable.  I just took that permission away 
>>>to
>>>make the permissions 710.  Does anybody know if that will work as a quick
>>>fix for now?
>>>
>>
>>Yes, it works. Only those who can execute newgrp while it is suid can
>>run the exploit. Removing permission to execute it will remove the
>>problem, as will removing the suid bit (but you might find suid is
>>needed for anyone but root...make the group some group that only trusted
>>individuals can access).
>>
>>D. Stimits, stimits at idcomm.com
>>
>>
>>>Greg
>>>
>>>
>>>>From: Nate Duehr <nate at natetech.com>
>>>>Reply-To: lug at lug.boulder.co.us
>>>>To: lug at lug.boulder.co.us
>>>>Subject: Re: [lug] New root exploit for kernels prior to 2.4.12
>>>>Date: Fri, 19 Oct 2001 17:05:07 -0600
>>>>
>>>>I haven't had a chance to read this yet, but is this a remote exploit
>>>>(network-based) or a local exploit?
>>>>
>>>>On Fri, Oct 19, 2001 at 11:55:47AM -0600, Scott A. Herod wrote:
>>>>
>>>>>Security focus has a note about a root exploit against kernels prior to
>>>>>2.4.12.
>>>>>
>>>>>
>>>>>
>>>>http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21
>>>>
>>>>>Since they've also put up an exploit, I'd guess that it's once again
>>>>>time to upgrade
>>>>>the kernel.
>>>>>_______________________________________________
>>>>>Web Page:  http://lug.boulder.co.us
>>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>>
>>>>--
>>>>Nate Duehr <nate at natetech.com>
>>>>
>>>>GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
>>>>Public Key available upon request, or at wwwkeys.pgp.net and others.
>>>>_______________________________________________
>>>>Web Page:  http://lug.boulder.co.us
>>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>
>>>_________________________________________________________________
>>>Get your FREE download of MSN Explorer at 
>>>http://explorer.msn.com/intl.asp
>>>
>>>_______________________________________________
>>>Web Page:  http://lug.boulder.co.us
>>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>
>>_______________________________________________
>>Web Page:  http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>
>
>
>--
>
>   - John Hernandez - Network Engineer - 303-497-6392 -
>  |  National Oceanic and Atmospheric Administration   |
>  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
>   ----------------------------------------------------
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




More information about the LUG mailing list