94509 2003-03-19  23:18  /44 rader/ Andrzej Szombierski <qq@kuku.eu.org>
Importerad: 2003-03-19  23:18  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4055>
Ärende: linux kmod/ptrace bug - details
------------------------------------------------------------

Hello

There are many discussions (on slashdot for example) on the recent
linux  ptrace (& kmod) bug. I'll try to clarify what is this all
about.

It's a local root vulnerability. It's exploitable only if:
1. the kernel is built with modules and kernel module loader enabled
 and 2. /proc/sys/kernel/modprobe contains the path to some valid
executable
 and
3. ptrace() calls are not blocked

These conditions are met on most standard linux distros.

Ok now how it works: When a process requests a feature which is in a
module, the kernel spawns a child process, sets its euid and egid to
0 and calls execve("/sbin/modprobe") The problem is that before the
euid change the child process can be  attached to with ptrace(). Game
over, the user can insert any code into a  process which will be run
with the superuser privileges.

Solutions/workarounds:
- patch the kernel
 or
- disable kmod/modules
 or
- install a ptrace-blocking module
 or
- set /proc/sys/kernel/modprobe to /any/bogus/file

A word about 2.5. kernels - these are not vulnerable because the
kernel  thread spawning code has been rewritten so that the modprobe
process is  spawned from keventd, it never runs with non-root uid, so
it can't be  ptraced by any non-root user.

Sample exploit here (ix86-only):
http://august.v-lo.krakow.pl/~anszom/km3.c

-- 
: Andrzej Szombierski : anszom@v-lo.krakow.pl : qq@kuku.eu.org :
: anszom@bezkitu.com ::: radio bez kitu <=> http://bezkitu.com :
(94509) /Andrzej Szombierski <qq@kuku.eu.org>/(Ombruten)