From aleph1@SECURITYFOCUS.COM Mon Nov 13 14:20:01 2000 Date: Mon, 13 Nov 2000 08:29:38 -0800 From: Elias Levy To: vuldb@securityfocus.com Subject: (forw) BUGTRAQ: approval required (5663CBB0) -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum [ Part 2: "Included Message" ] Date: Mon, 13 Nov 2000 02:38:54 -0800 From: "L-Soft list server at SecurityFocus.com (1.8d)" To: Elias Levy Subject: BUGTRAQ: approval required (5663CBB0) This message was originally submitted by kaos@OCS.COM.AU to the BUGTRAQ list at LISTS.SECURITYFOCUS.COM. You can approve it using the "OK" mechanism, ignore it, or repost an edited copy. The message will expire automatically and you do not need to do anything if you just want to discard it. Please refer to the list owner's guide if you are not familiar with the "OK" mechanism; these instructions are being kept purposefully short for your convenience in processing large numbers of messages. ----------------- Original message (ID=5663CBB0) (117 lines) ------------------ Return-Path: Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 013DB24C41C for ; Mon, 13 Nov 2000 02:38:54 -0800 (PST) Received: (qmail 19072 invoked by alias); 13 Nov 2000 10:41:26 -0000 Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Received: (qmail 18986 invoked from network); 13 Nov 2000 10:41:25 -0000 Received: from ppp0.ocs.com.au (HELO mail.ocs.com.au) (203.34.97.3) by mail.securityfocus.com with SMTP; 13 Nov 2000 10:41:25 -0000 Received: (qmail 20962 invoked from network); 13 Nov 2000 10:40:19 -0000 Received: from ocs3.ocs-net (192.168.255.3) by mail.ocs.com.au with SMTP; 13 Nov 2000 10:40:19 -0000 X-Mailer: exmh version 2.1.1 10/15/1999 From: Keith Owens To: Michal Zalewski Cc: BUGTRAQ@SECURITYFOCUS.COM, Sebastian Subject: Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) In-reply-to: Your message of "Sun, 12 Nov 2000 22:46:53 BST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 13 Nov 2000 21:40:19 +1100 Message-ID: <1841.974112019@ocs3.ocs-net> On Sun, 12 Nov 2000 22:46:53 +0100, Michal Zalewski wrote: >This vulnerability has been found by Sebastian Krahmer some time ago (he >is posting an advisory right now). Stupid shell command execution within >userspace kernel helper application, modprobe, is something you do not >want to see. But it happened. I have no idea how could it be introduced in >RH 7.0 systems and some other distros (like recent SuSE), but it was. Ugh. Insert usual complaint about exploit being posted without contacting maintainer first. This bug was introduced to modutils in March 12 1999, it does not affect modutils 2.1.121. modprobe tries echo as the last ditch file expansion method, using popen. There is no good reason to do that. >NOTE: if this exploit fails, it does not have to mean your modprobe is >secure; it might mean your system is equipped with, for example, old >/bin/ping utility, instead of new iputils software. You should be aware >that RedHat released some iputils updates, which apparently seems to >"accidentally" fix this particular way to exploit it. But this utility is >only an instrument used to exploit the bug. You can play with other setuid >programs, /bin/ping6, privledged services etc. Be creative. The invoking program does not have to be setuid. It has to pass its parameters directly into the kernel, the kernel must be compiled with kmod and kmod must pass the parameter directly to modprobe. >Well, two applications were upgraded and shipped in the manner which opens >really huge root compromise possibility. Well done, RedHat :) This time you cannot blame on Redhat, the modprobe bug has been there for quite a while. Patch against modutils 2.3.19. Index: 19.7/util/meta_expand.c --- 19.7/util/meta_expand.c Sun, 10 Sep 2000 12:56:40 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644) +++ 19.7(w)/util/meta_expand.c Mon, 13 Nov 2000 21:19:41 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644) @@ -156,12 +156,8 @@ static int glob_it(char *pt, GLOB_LIST * */ int meta_expand(char *pt, GLOB_LIST *g, char *base_dir, char *version) { - FILE *fin; - int len = 0; - char *line = NULL; char *p; char tmpline[PATH_MAX + 1]; - char tmpcmd[PATH_MAX + 11]; g->pathc = 0; g->pathv = NULL; @@ -277,38 +273,6 @@ int meta_expand(char *pt, GLOB_LIST *g, /* Only "=" remaining, should be module options */ split_line(g, pt, 0); return 0; - } - - /* - * Last resort: Use "echo" - */ - sprintf(tmpline, "%s%s", (base_dir ? base_dir : ""), pt); - sprintf(tmpcmd, "/bin/echo %s", tmpline); - if ((fin = popen(tmpcmd, "r")) == NULL) { - error("Can't execute: %s", tmpcmd); - return -1; - } - /* else */ - - /* - * Collect the result - */ - while (fgets(tmpcmd, PATH_MAX, fin) != NULL) { - int l = strlen(tmpcmd); - - line = (char *)xrealloc(line, len + l + 1); - line[len] = '\0'; - strcat(line + len, tmpcmd); - len += l; - } - pclose(fin); - - if (line) { - /* Ignore result if no expansion occurred */ - strcat(tmpline, "\n"); - if (strcmp(tmpline, line)) - split_line(g, line, 0); - free(line); } return 0;