[Fwd: Local root vulnerability in most used Linux kernels]

[Bc. Ales Berka]

-------- Original Message --------
Subject: Local root vulnerability in most used Linux kernels
Date: 8 Jun 2000 10:00:33 +0200
From: gerrie na HIT2000.ORG (Gerrie)
Reply-To: Gerrie <gerrie na HIT2000.ORG>
Organization: Mail2News Gateway at CameloT Online Services
Newsgroups: muc.lists.bugtraq

There is a zeroday exploit for kernel in hands of scriptkiddies.

After they rooted locally 2 system which I've intrest and did dd
if=/dev/zero of=/dev/hda1 &
on both, I spended 7 hours to finding fragments (we really need easies
tools
LDE with GUI block search capabilities)
This with help of Peter we came to the following conclusion.

This exploits gives them local root.
It works -so far investigated- on

Linux 2.2.15
Linux 2.2.14-5.0 (RedHat 6.2)
Not vulnerable 2.2.0 Kernels, 2.2.16pre6 Kernels and Freebsd 4.0
2.0.x linux kernels doesn't have capabilities, and are probally not
vulnearble

In the linux kernel there are caperbilities that gives restritions on
processen.
A process -like sendmail or httpd- can do his job as root and after he's
finished all capabilities as root are dropped.

Someone succeeded in calling CAP_SETUID priv, Sendmail cann't drop root 
to
normal user after that.
Because Sendmail isn't made to run as root, the rest of sendmail is easy
to
misabuse.

The bug in sendmail is only avaible when sendmail *probally* doesn't
checks
if the dropping of privs succeeded.

Special thanx to Peter van Dijk for his great -major part- analysis.

gtx,
Gerrie Mansur
HIT2000 Information security
www.hit2000.org
www.hit2000.nl