linux, säkerhet

7774160 2002-01-09 11:26 -0800  /107 rader/ Huagang Xie <xie@www.lids.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-09  23:34  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: LIDS Mailing List <lids-user@lists.sourceforge.net>
Mottagare: Bugtraq (import) <20450>
Kommentar till text 7773024 av Obscure <obscure@eyeonsecurity.net>
Ärende: LIDS Security Advisory 1
------------------------------------------------------------
From: Huagang Xie <xie@www.lids.org>
To: <bugtraq@securityfocus.com>
Cc: LIDS Mailing List <lids-user@lists.sourceforge.net>
Message-ID: <Pine.LNX.4.33.0201091118110.16399-100000@janus.intruvert.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

LIDS Advisory 1
================
------------------------------[BUG #1]-------------------------
Severity : CRITICAL
Discovery : Stealth
Original advisory : 
http://www.team-teso.net/advisories/teso-advisory-012.txt

Description :
- -------------

The use of LD_PRELOAD can make a program with privileges given by
LIDS execute attackers code. This mean that a root intruder can get
every capability or fs access you configured LIDS to grant. Moreover,
if you granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an
attacker could deactivate LIDS and thus, access any file.

In some configurations, this also lead to users being able to become
root.  (there must be a program granted CAP_SETUID which is not
setuid)

Systems affected :
- ------------------

Every LIDS patch whose version is lower or equal to 1.1.0 for 2.4
series Every LIDS patch whose version is lower or equal to 0.11.0pre1
for 2.2  series

You can find a Little shell script here to see that you are
vulnerable : http://www.lids.org/download/test-lids.sh
http://www.lids.org/download/test-lids.sh.asc Remember that it's only
a silly test that do obvious things and that those tests may fail if
it is not run in the context I wanted it to be run.

Solution :
- ----------

For 2.4 users :
http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz
http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz.asc

For 2.2 users : Use the patch against 0.10.1 :
http://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gz
http://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gz.asc

0.11.0pre2 version is not vulnerable but it is broken.
------------------------------[BUG #2]-------------------------
Severity : CRITICAL
Discovery : Phil <pbi@cartel-info.fr>

Description:
- ------------
Programs launched before LIDS is sealed keep full CAPS after the sealing.
We could imagine a shell code that make a daemon from pre-sealing era
deactivate LIDS using CAP_SYS_RAWIO or CAP_SYS_MODULE.

Systems affected :
-------------------
Same as BUG #1

Solution :
-------------------
Same as BUG #1
------------------------------[BUG #3]-------------------------
Severity : CRITICAL
Discovery : Stealth

Description:
- ------------
Program in a shell Script which inherit LIDS capability/acls can be 
redirect to other evil program using PATH, ALIAS etc. That evil program 
can also gain that capability/acls from its parent -- the shell script.

This bugs is as severity as BUG #1.

Systems affected :
- ------------------
Same as BUG #1

Solution :
- ------------------
Same as BUG #1

- ------------------------------------------------------------------------

LIDS TEAM
Jan-9-2002

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8PJLCtTu2CrbvsCgRAo/QAJoCRJe3jrdJ/DN0ph51upEuAyzFywCcCIEK
piv8rSX+smCQe7dKttcUAZg=
=Wpmc
-----END PGP SIGNATURE-----
(7774160) /Huagang Xie <xie@www.lids.org>/(Ombruten)