[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Date: Mon, 13 Nov 2000 12:44:34 +0100

On Mon, 13 Nov 2000, Keith Owens wrote:

> The invoking program does not have to be setuid.  It has to pass its
> parameters directly into the kernel, the kernel must be compiled with
> kmod and kmod must pass the parameter directly to modprobe.

net/core/dev.c, line 348:

#ifdef CONFIG_KMOD

void dev_load(const char *name)
{
        if(!dev_get(name) && capable(CAP_SYS_MODULE))
                request_module(name);
}

/* ...snip... */

It has to run on privledged level (or have CAP_SYS_MODULE).

> This time you cannot blame on Redhat, the modprobe bug has been there
> for quite a while.

RedHat (and some other vendors) have not audited recently introduced
code. That's all I can say. Of course it's modutils bug.

_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

Prev by Date: Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
Next by Date: Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
Prev by thread: Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
Next by thread: Re: RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)
Index(es):
- Date
- Thread