linux kmod/ptrace bug - details Mar 19 2003 07:22PM
Andrzej Szombierski (qq kuku eu org)


There are many discussions (on slashdot for example) on the recent linux
ptrace (& kmod) bug. I'll try to clarify what is this all about.

It's a local root vulnerability. It's exploitable only if:
1. the kernel is built with modules and kernel module loader enabled
2. /proc/sys/kernel/modprobe contains the path to some valid executable
3. ptrace() calls are not blocked

These conditions are met on most standard linux distros.

Ok now how it works:
When a process requests a feature which is in a module, the kernel spawns
a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe")
The problem is that before the euid change the child process can be
attached to with ptrace(). Game over, the user can insert any code into a
process which will be run with the superuser privileges.

- patch the kernel
- disable kmod/modules
- install a ptrace-blocking module
- set /proc/sys/kernel/modprobe to /any/bogus/file

A word about 2.5. kernels - these are not vulnerable because the kernel
thread spawning code has been rewritten so that the modprobe process is
spawned from keventd, it never runs with non-root uid, so it can't be
ptraced by any non-root user.

Sample exploit here (ix86-only):

: Andrzej Szombierski : anszom (at) v-lo.krakow (dot) pl [email concealed] : qq (at) kuku.eu (dot) org [email concealed] :
: anszom (at) bezkitu (dot) com [email concealed] ::: radio bez kitu <=> http://bezkitu.com :

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus