---------- Forwarded message ----------
Date: Sat, 30 Sep 2000 14:15:16 -0600
From: Kurt Seifried <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: LSLID:2000093002 - glibc and userhelper - local root exploit
LSLID:2000093002
PROBLEM: local root thru setuid+glibc locale
FIX: don't let anyone else your computer.
WHAT??: advantage all other fixes to be suggested...
you get to use your computer more often than if you have to share it. ;}
FIX: no idea yet. mebe not allow .. in the locale for root or at all?
/* start of zen-nktb.c */
/***********************************************************
local root exploit - userhelper/kbdrate - console only
You can only use it on people you know.
--zen-parse--
** programs **
[root@continuity /root]# rpm -qf /usr/bin/kbdrate
util-linux-2.9w-24
[root@continuity /root]# rpm -qf /usr/sbin/userhelper
usermode-1.35-1
[root@continuity /root]# rpm -qf /lib/libc.so.6
glibc-2.1.3-21
** short description **
people can get root if they are logged in to your machine,
actually at the console.
** longer description **
This exploits the glibc locale hole (even in fixed version).
(If your name is in /var/lock/console/* then you can do it.
Mebe other ways as well.)
Gets past the fix because there is a call to setuid(0);
just before exec-ing the called program. Now uid=euid=0
so it even gives u core dumps(owned by root).
** reason **
The sanity checks don't set done on the nonsuid programs.
Maybe sanity check root and all suids?
The exploit code is available at:
http://www.securityportal.com/research/exploits/linux/20000930-linux-locale.
txt
--------------------------------------------------------------------------
Utk berhenti langganan, kirim email ke [EMAIL PROTECTED]
Informasi arsip di http://www.linux.or.id/milis.php3
Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
