Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4235
HistoryMar 20, 2003 - 12:00 a.m.

linux kmod/ptrace bug - details

2003-03-2000:00:00
vulners.com
10
JSON

Hello

There are many discussions (on slashdot for example) on the recent linux
ptrace (& kmod) bug. I'll try to clarify what is this all about.

It's a local root vulnerability. It's exploitable only if:

  1. the kernel is built with modules and kernel module loader enabled
    and
  2. /proc/sys/kernel/modprobe contains the path to some valid executable
    and
  3. ptrace() calls are not blocked

These conditions are met on most standard linux distros.

Ok now how it works:
When a process requests a feature which is in a module, the kernel spawns
a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe")
The problem is that before the euid change the child process can be
attached to with ptrace(). Game over, the user can insert any code into a
process which will be run with the superuser privileges.

Solutions/workarounds:

  • patch the kernel
    or
  • disable kmod/modules
    or
  • install a ptrace-blocking module
    or
  • set /proc/sys/kernel/modprobe to /any/bogus/file

A word about 2.5. kernels - these are not vulnerable because the kernel
thread spawning code has been rewritten so that the modprobe process is
spawned from keventd, it never runs with non-root uid, so it can't be
ptraced by any non-root user.

Sample exploit here (ix86-only):
http://august.v-lo.krakow.pl/~anszom/km3.c


: Andrzej Szombierski : [email protected] : [email protected] :
: [email protected] ::: radio bez kitu <=> http://bezkitu.com :

JSON