Linux LIDS Root Level Access When Disabled Vulnerability

A vulnerability exists in LIDS, the Linux Intrusion Detection System, version 0.9.7 for the 2.2.16 kernel. If LIDS is disabled using the 'security=0' option at boot time, all users logging in to the system will effectively be able to behave as root. All filesystem checks are disabled, and it is likely other privileged actions can also be performed.

This vulnerability only exists on a grand scale if the system is boot with security=0. Using the lidadm program as follows:
bash$ joe /etc/passwd
(file is shown as readonly, cannot be modified)
bash$ su
Password:
[root@penguin user]# /sbin/lidsadm -S -- -LIDS SWITCH
enter password:
[root@penguin user]#su user2
bash$ joe /etc/passwd
(file is not read-only, can be modfied)
bash$ joe /etc/fstab
(file is not read only, can be modified)
bash$ ls -l /etc/fstab
-rw-r--r-- 1 root root 684 Jul 24 16:28 /etc/fstab
bash$ exit
[root@penguin user]#exit
bash$ joe /etc/passwd
(file is shown as readonly, cannot be modified)

Will only result in LIDS being ineffective for the user being su'd to within the same session. While this is improper behavior, it is a rare situation that should rarely happen in the real world.


 

Privacy Statement
Copyright 2010, SecurityFocus