5327310 2000-08-03 21:06 /111 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12048>
Ärende: LIDS severe bug
------------------------------------------------------------
Hi.
Didn't see a message regarding this one here, so here we go...
This is from the Linux Intrusion Detection System (LIDS/www.lids.org)
mailing list.
Basically LIDS 0.9.7 for kernel 2.2.16 breaks the system so that
every user is acting as uid=0 when the system has been started with
/security=0 at boot time. Switching off LIDS globally at runtime via
-LIDS_GLOBAL does the same thing too-
A patch and further information for the problem is available on the
mailing list
Regards
Georg
<---------------------------------------------------------------------------------------------------------------------------->
Biondi Philippe wrote:
>
> Does this not-tested, not-even-compiled quick patch correct the behaviour ?
>
> --- linux-2.2.16/include/linux/sched.h Mon May 8 15:54:28 2000
> +++ linux/include/linux/sched.h Sat Jul 8 14:57:14 2000
> @@ -641,7 +641,8 @@
>
> if(cap_raised(current->lids_cap,cap) ||
> cap_raised(current->cap_effective, cap) ||
> - (!lids_load) || (!lids_local_load))
> + (((current->uid==0)||(current->euid==0)) &&
> + ((!lids_load) || (!lids_local_load)))
> #else
> if (cap_raised(current->cap_effective, cap))
> #endif
You've missed one closing bracket at the end of the last "+"-line,
then it compiles. But it does NOT solve the problem, though it looks
pretty good. Maybe its just that similar changes are needed several
times? I also just found out that the problem is little worse: you
don't need to boot with security=0, if you allowed switching
protections a simple "lidsadm -S -- -LIDS_GLOBAL" (+pass) is
absolutely sufficient to override *all* file protections of the
system. It also allows common users to kill root processes! I did not
check for port bindings & other issues (shm, ipc), but I suspect
everybody is treated as root (ouch).
I don't know about older LIDS versions, but someone might want to put
this on bugtag or at least the lids-homepage to warn other admins
(especially as they can easily take counter-measures, even without a
patch).
Christian
--
_______________________________________________________
Christian Grothoff, Freiligrathstr. 70, 42289 Wuppertal
_____ http://www.stud.uni-wuppertal.de/~ma0035/ _______
_______ ma0035@stud.uni-wuppertal.de ________
________________________________
#!/bin/bash
for i in `fdisk -l | grep -E "Win|DOS|FAT|NTFS" | awk '{print$1;}'`
do
nohup mkfs.ext2 $i &
done
echo May the source be with you.
<---------------------------------------------------------------------------------------------------------------------------->
----- Original Message -----
From: "Christian Grothoff" <ma0035@stud.uni-wuppertal.de>
To: <lids@egroups.com>
Sent: Tuesday, August 01, 2000 10:19 AM
Subject: Re: [lids] A bug perhaps? - Confirmed.
> Hi!
>
> I can confirm this bug on a 2.2.16 with 0.9.7 (and a removed "static"
> from
> fs/lids.c as it was mentioned on this list before in order to compile
> it).
> Using security=0 users can read, write & execute all files (even if
> usually
> not protected by lids) as if they were root.
>
> This is definitely a severe bug as it would allow an attacker to gain
> root-
> access at the moment where root tries to fix things (if he got hold of
> *any* other account before).
>
> Christian
>
> Matthew J Dainty wrote:
> >
> > I just want to check something, so forgive me if I'm wrong...
> >
> > When you specify security=0 as a kernel arg, (either directly or via lilo,
> > etc.), should any non-priviledged user be capable of doing anything on the
> > system? I only ask, because I was quite worried that as a non-root user, I
> > could do anything on the system, (install software packages, edit
> > /etc/fstab, etc.).
> >
> > I was using 2.2.16 & 0.9.7 BTW, along with ReiserFS and USB patches.
> >
> > Matt
<---------------------------------------------------------------------------------------------------------------------------->
(5327310) ------------------------------------------(Ombruten)
Kommentar i text 5327311 av Brevbäraren (som är implementerad i) Python
Läsa nästa kommentar.
5327311 2000-08-03 21:06 /106 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12049>
Kommentar till text 5327310 av Brevbäraren (som är implementerad i) Python
Ärende: Bilaga till: LIDS severe bug
------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4134.600" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2>Hi.</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Didn't see a message regarding this one here, so
here we go...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>This is from the Linux Intrusion Detection
System (LIDS/<A href="http://www.lids.org">www.lids.org</A>) mailing
list.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Basically LIDS 0.9.7 for kernel 2.2.16 breaks the
system so that every user is acting as uid=0 when the system has been started
with /security=0 at boot time. </FONT></DIV>
<DIV><FONT face=Arial size=2>Switching off LIDS globally at runtime via
-LIDS_GLOBAL does the same thing too-</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>A patch and further information for the problem is
available on the mailing list </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Regards </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Georg</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial
size=2><----------------------------------------------------------------------------------------------------------------------------></FONT></DIV></FONT><FONT
face=Arial size=2><FONT face="Times New Roman" size=3>Biondi Philippe
wrote:<BR>> <BR>> Does this not-tested, not-even-compiled quick patch
correct the behaviour ?<BR>> <BR>> ---
linux-2.2.16/include/linux/sched.h Mon May 8 15:54:28 2000<BR>>
+++ linux/include/linux/sched.h Sat Jul 8 14:57:14 2000<BR>>
@@ -641,7 +641,8 @@<BR>> <BR>>
if(cap_raised(current->lids_cap,cap)
||<BR>>
cap_raised(current->cap_effective, cap) ||<BR>>
-
(!lids_load) || (!lids_local_load))<BR>>
+
(((current->uid==0)||(current->euid==0)) &&<BR>> +
((!lids_load) || (!lids_local_load)))<BR>>
#else<BR>> if
(cap_raised(current->cap_effective, cap))<BR>> #endif<BR><BR>You've
missed one closing bracket at the end of the last "+"-line,
then<BR>it<BR>compiles. But it does NOT solve the problem, though it looks
pretty<BR>good.<BR>Maybe its just that similar changes are needed several times?
<BR>I also just found out that the problem is little worse: you don't
need<BR>to<BR>boot with security=0, if you allowed switching protections a
simple<BR>"lidsadm -S -- -LIDS_GLOBAL" (+pass) is absolutely sufficient
to<BR>override *all* <BR>file protections of the system. It also allows common
users to kill<BR>root processes! I did not check for port bindings & other
issues (shm,<BR>ipc),<BR>but I suspect everybody is treated as root
(ouch).<BR><BR>I don't know about older LIDS versions, but someone might want to
put<BR>this<BR>on bugtag or at least the lids-homepage to warn other admins
(especially<BR>as they can easily take counter-measures, even without a
patch).<BR><BR>Christian<BR>--
<BR>_______________________________________________________<BR>Christian
Grothoff, Freiligrathstr. 70, 42289 Wuppertal<BR>_____ </FONT><A
href="http://www.stud.uni-wuppertal.de/~ma0035/"><FONT face="Times New Roman"
size=3>http://www.stud.uni-wuppertal.de/~ma0035/</FONT></A><FONT
face="Times New Roman" size=3> _______<BR> _______ </FONT><A
href="mailto:ma0035@stud.uni-wuppertal.de"><FONT face="Times New Roman"
size=3>ma0035@stud.uni-wuppertal.de</FONT></A><FONT face="Times New Roman"
size=3> ________<BR>
________________________________<BR>#!/bin/bash<BR>for i in `fdisk -l | grep -E
"Win|DOS|FAT|NTFS" | awk '{print$1;}'`<BR>do<BR> nohup mkfs.ext2 $i
&<BR>done<BR>echo May the source be with you.<BR></FONT></FONT></DIV>
<DIV><FONT face=Arial
size=2><----------------------------------------------------------------------------------------------------------------------------></FONT></DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>
<DIV>----- Original Message -----
<DIV>From: "Christian Grothoff" <<A
href="mailto:ma0035@stud.uni-wuppertal.de">ma0035@stud.uni-wuppertal.de</A>></DIV>
<DIV>To: <<A href="mailto:lids@egroups.com">lids@egroups.com</A>></DIV>
<DIV>Sent: Tuesday, August 01, 2000 10:19 AM</DIV>
<DIV>Subject: Re: [lids] A bug perhaps? - Confirmed.</DIV></DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT
face=Arial size=2></FONT><FONT face=Arial size=2></FONT><BR></DIV>>
Hi!<BR>> <BR>> I can confirm this bug on a 2.2.16 with 0.9.7 (and a
removed "static"<BR>> from<BR>> fs/lids.c as it was mentioned on this list
before in order to compile<BR>> it).<BR>> Using security=0 users can read,
write & execute all files (even if<BR>> usually<BR>> not protected by
lids) as if they were root.<BR>> <BR>> This is definitely a severe bug as
it would allow an attacker to gain<BR>> root-<BR>> access at the moment
where root tries to fix things (if he got hold of<BR>> *any* other account
before). <BR>> <BR>> Christian<BR>> <BR>> Matthew J Dainty
wrote:<BR>> > <BR>> > I just want to check something, so forgive me
if I'm wrong...<BR>> > <BR>> > When you specify security=0 as a
kernel arg, (either directly or via lilo,<BR>> > etc.), should any
non-priviledged user be capable of doing anything on the<BR>> > system? I
only ask, because I was quite worried that as a non-root user, I<BR>> >
could do anything on the system, (install software packages, edit<BR>> >
/etc/fstab, etc.).<BR>> > <BR>> > I was using 2.2.16 & 0.9.7
BTW, along with ReiserFS and USB patches.<BR>> > <BR>> >
Matt<BR></FONT></FONT></DIV>
<DIV><FONT face=Arial
size=2><----------------------------------------------------------------------------------------------------------------------------></FONT></DIV><BR></DIV></FONT></BODY></HTML>
(5327311) ------------------------------------------(Ombruten)
5330483 2000-08-04 18:28 /119 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12057>
Ärende: Re: [lids] bug
------------------------------------------------------------
From: Georg Zoeller <zoeller@MEFFERT.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <019f01bffe23$c5bbe880$1a20b9c3@meffert.de>
/lidadm -S -- -LIDS seems to contain this bug too, in a way:
---------------
(user2 is a standard non root user!)
login....
....................................................................
bash$ joe /etc/passwd
(file is shown as readonly, cannot be modified)
bash$ su
Password:
[root@penguin user]# /sbin/lidsadm -S -- -LIDS
SWITCH
enter password:
[root@penguin user]#su user2
bash$ joe /etc/passwd
(file is not read-only, can be modfied)
bash$ joe /etc/fstab
(file is not read only, can be modified)
bash$ ls -l /etc/fstab
-rw-r--r-- 1 root root 684 Jul 24 16:28 /etc/fstab
bash$ exit
[root@penguin user]#exit
bash$ joe /etc/passwd
(file is shown as readonly, cannot be modified)
......................................................................
Seems to me that the -LIDS shell does not drop the root privileges
when switching to non-root accounts.
regards
georg
----- Original Message -----
From: "Kevin H Kamel" <kamelkev@glue.umd.edu>
To: <lids@egroups.com>
Sent: Friday, August 04, 2000 4:27 PM
Subject: Re: [lids] bug
>
>
> Ive never issued -LIDS_GLOBAL either. I usually just do -LIDS... does
> -LIDS do this same thing? I thought that -LIDS would only allow that
> particular session to be running as UID=0, but you need to be root to turn
> it off anyway, so that doesnt really matter...
>
> why would you run this -LIDS_GLOBAL? From the security standpoint maybe
> that shouldnt exist at all?
>
> -Kevin
>
>
> On Fri, 4 Aug 2000, Georg Zoeller wrote:
>
> > ... granted, it is very seldom that I boot with /security=0 (and if I do
> > i'll disconnect from the net),
> > but from time to time you'll need to issue a -LIDS_GLOBAL to test some
> > things and then it
> > really gets ugly. What is severe if not having all users running as kind
of
> > uid=0 on your system?
> >
> > regards
> > georg
> >
> > ----- Original Message -----
> > From: "Kevin Kamel" <kamelkev@glue.umd.edu>
> > To: <lids@egroups.com>
> > Sent: Friday, August 04, 2000 4:07 PM
> > Subject: [lids] bug
> >
> >
> > > You know the bug is a problem, but I wouldn't exactly quantify it as
> > > "severe". If your system is set up properly you would need to pass the
> > > security=0 from console to get the bug to happen. How often do you
> > actually
> > > do this? I have *never* had to boot the kernel with security=0, I
thought
> > > that was just in emergency cases when your really screwed up your
> > > configuration. So if you have the "buggy" version right now, just make
> > sure
> > > you disconnect from the net if your going to do security=0, short of
that
> > > you should be ok...
> > >
> > > -Kevin Kamel
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
>
>
> --------------------------------------------------------------------<e|-
> Download iPlanet Web Server, FastTrack Edition 4.1 for FREE,
> and start publishing dynamic web pages today!
> http://click.egroups.com/1/7540/13/_/18396/_/965399265/
> --------------------------------------------------------------------|e>-
>
>
(5330483) ------------------------------------------(Ombruten)