local root exploit confirmed in 2.6.10: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

local root exploit confirmed in 2.6.10: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

[Lee Revell]

Frank Barknecht pointed this out on linux-audio-dev, it's a horrible
bug, I confirmed it in 2.6.10, and have not seen it mentioned on the
list.

Executive summary:

run "vim" as normal user.  Do ":r /etc/shadow".  Permission denied.

do "modprobe capability" as root in another terminal

Do ":r /etc/shadow" again in the same vim.  You will be able to read and
write /etc/shadow as normal user.

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-12/0390.html

Lee

Re: local root exploit confirmed in 2.6.10: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

[Lee Revell]

On Tue, 2004-12-28 at 16:21 -0500, Lee Revell wrote:
> http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-12/0390.html
> 

Followup: this was discussed on the LSM list.  Patch is available.

http://mithra.immunix.com/pipermail/linux-security-module/2004-December/index.html

Lee

Re: local root exploit confirmed in 2.6.10: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

[bert hubert]

On Tue, Dec 28, 2004 at 04:21:55PM -0500, Lee Revell wrote:
> Frank Barknecht pointed this out on linux-audio-dev, it's a horrible
> bug, I confirmed it in 2.6.10, and have not seen it mentioned on the
> list.

Although this sucks, it should be pointed out that it only grants root to
users able to force the loading of a certain module, aka 'root'.

Modules have always been free to give root capabilities to all users. We
don't usually ship these though :-)

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO

Re: local root exploit confirmed in 2.6.10: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

[Lee Revell]

On Wed, 2004-12-29 at 11:25 +0100, bert hubert wrote:
> On Tue, Dec 28, 2004 at 04:21:55PM -0500, Lee Revell wrote:
> > Frank Barknecht pointed this out on linux-audio-dev, it's a horrible
> > bug, I confirmed it in 2.6.10, and have not seen it mentioned on the
> > list.
> 
> Although this sucks, it should be pointed out that it only grants root to
> users able to force the loading of a certain module, aka 'root'.

Not force the loading of a certain module, but predict when it will be
loaded.  Still, not easy to exploit.

Lee

Re: local root exploit confirmed in 2.6.10: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

[Serge E. Hallyn]

Quoting Lee Revell (rlrevell@joe-job.com):
> On Wed, 2004-12-29 at 11:25 +0100, bert hubert wrote:
> > On Tue, Dec 28, 2004 at 04:21:55PM -0500, Lee Revell wrote:
> > > Frank Barknecht pointed this out on linux-audio-dev, it's a horrible
> > > bug, I confirmed it in 2.6.10, and have not seen it mentioned on the
> > > list.
> > 
> > Although this sucks, it should be pointed out that it only grants root to
> > users able to force the loading of a certain module, aka 'root'.
> 
> Not force the loading of a certain module, but predict when it will be
> loaded.  Still, not easy to exploit.
> 
> Lee

Right, this means it is unsafe to have capabilities compiled as a
module, or at least loaded after any untrusted processes start.

The attached patch, which is a simple port of a fix by Chris Wright
(sent out a year ago), fixes this problem by having the dummy module
track capabilities.

-serge

Signed-off-by: Serge Hallyn <serue@us.ibm.com>

Index: linux-2.6.9/security/dummy.c
===================================================================
--- linux-2.6.9.orig/security/dummy.c	2004-12-24 05:33:33.000000000 -0600
+++ linux-2.6.9/security/dummy.c	2004-12-24 05:41:11.000000000 -0600
@@ -74,12 +74,10 @@ static int dummy_acct (struct file *file
 
 static int dummy_capable (struct task_struct *tsk, int cap)
 {
-	if (cap_is_fs_cap (cap) ? tsk->fsuid == 0 : tsk->euid == 0)
-		/* capability granted */
+	if (cap_raised (tsk->cap_effective, cap))
 		return 0;
-
-	/* capability denied */
-	return -EPERM;
+	else
+		return -EPERM;
 }
 
 static int dummy_sysctl (ctl_table * table, int op)
@@ -199,6 +197,10 @@ static void dummy_bprm_apply_creds (stru
 
 	current->suid = current->euid = current->fsuid = bprm->e_uid;
 	current->sgid = current->egid = current->fsgid = bprm->e_gid;
+
+	dummy_capget(current, &current->cap_effective,
+					&current->cap_inheritable,
+					&current->cap_permitted);
 }
 
 static int dummy_bprm_set_security (struct linux_binprm *bprm)
@@ -563,6 +565,9 @@ static int dummy_task_setuid (uid_t id0,
 
 static int dummy_task_post_setuid (uid_t id0, uid_t id1, uid_t id2, int flags)
 {
+	dummy_capget(current, &current->cap_effective,
+					&current->cap_inheritable,
+					&current->cap_permitted);
 	return 0;
 }