[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Possible solution for BIG security hole in RaQ3 server
- Subject: [cobalt-security] Possible solution for BIG security hole in RaQ3 server
- From: Goran Blagus <vectro@xxxxxxxxxxxx>
- Date: Mon, 12 Jun 2000 10:45:24 +0200
Hello !
<BAD ENGLISH>
Here is the post from bugtraq mailing list with program in C which we have
installed on RaQ3 to prevents abuse of CAP_SETUID vulnerability.
We have tested this module with two exploits that was early posted to same
bugtraq list and it works great.
What we didn't succeed is compiling this program on RaQ2. RaQ2 is also
affected with this security bug. Any help in compiling this program is
appriciated.
</BAD ENGLISH>
Goran Blagus
Post from bugtraq:
******************************************
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
From: xdr <xdr@xxxxxxxx>
Subject: Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities
X-To: Kyle Sparger <ksparger@xxxxxxxxxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Best thing to do would be to erradicate the problem specificly other than
disabling the capset system call all together. Linux 2.4.0 will make use
of capabilities and will need this system call for some applications to
function properly, afaik.
Here is another loadable module that will attack the problem more
specificly and log attempts to abuse this bug by calling UID and task
information.
--- SNIP ---
/*
* Simple module to detect/prevent abuse of CAP_SETUID vulnerability.
*
* To use:
*
* amenophis(xdr)~% gcc -Wall -O2 -I/usr/src/linux/include -c cpdm.c
* amenophis(xdr)~% su -c '/sbin/insmod cpdm.o'
* Password:
* Detect and prevent abuse of CAP_SETUID kernel bug: xdr@xxxxxxxx
* amenophis(xdr)~% ./cap/capset-test
* Program attempting to possibly abuse CAP_SETUID bug: UID: 1000 TASK:
capset-test[318].
* capset returns (-1) errno (1 [Operation not permitted])
*
* $Id: cpdm.c,v 1.1 2000/06/10 22:00:09 xdr Exp $
*/
#define __KERNEL__
#define MODULE
#ifdef MODVERSIONS
#include <linux/modversions.h>
#endif
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/capability.h>
#include <linux/unistd.h>
#include <asm/uaccess.h>
#include <sys/syscall.h>
#define RETURN_EPERM 1
extern void *sys_call_table[];
static asmlinkage int (*orig_sys_capset)(cap_user_header_t, cap_user_data_t);
asmlinkage int new_sys_capset(cap_user_header_t header, cap_user_data_t
dataptr)
{
if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
"UID: %d TASK: %.15s[%d].\n",
current->uid, current->comm, current->pid);
return (RETURN_EPERM ? -EPERM : -EFAULT);
}
return orig_sys_capset(header, dataptr);
}
int init_module( void )
{
printk(KERN_INFO
"Detect and prevent abuse of CAP_SETUID kernel bug: xdr@xxxxxxxx\n");
orig_sys_capset = sys_call_table[__NR_capset];
sys_call_table[__NR_capset] = new_sys_capset;
return 0;
}
void cleanup_module( void )
{
sys_call_table[__NR_capset] = orig_sys_capset;
}
--- SNIP ---
----------------
Croadria Internet usluge - http://www.croadria.com
Subiceva 3, 10000 ZAGREB
Tel: 01/ 4556 465
E-mail: gblagus@xxxxxxxxxxxx
ICQ UIN: 5441616