J-Security Center

Title: Linux Ptrace/Setuid Exec Vulnerability

Severity: HIGH

Description:

Unix and Unix-like kernels offer a debugging facility called ptrace. Ptrace allows for one process to 'attach' to another and inspect/modify it's memory. For security reasons, a process with the privileges of a regular user cannot attach to a process owned by another. If this were possible, an attacker could modify memory of the traced process so that custom code is executed to obtain the privileges of the process owner.

Linux contains a vulnerability in it's exec() implementation that may allow for modification of setuid process memory via ptrace(). The vulnerability is due to the fact that it is possible for a traced process to exec() a setuid image if the tracing process is setuid.

If a setuid program is available that will execute a program belonging to the attacker (even with dropped privileges), the attacker can then modify the memory of the (traced) setuid process. This would be accomplished by creating a custom program that used ptrace() functionality to insert shellcode into the memory of the traced setuid process.

On many Linux systems, the 'newgrp' utility can be used to exploit this vulnerability. On Slackware, 'su' can be used. Both of these utilities execute user-shells.

It has been pointed out the functionality of both of these utilities is not dependent on them being setuid root. The Linux capabilities privilege model can allow for them to function without total root privileges. If they were designed to utilize capabilities with minimally elevated privileges, avenues of exploitation would be limited.

Note: There are currently conflicting reports about the exploitability of this vulnerability.

Affected Products:

  • Caldera OpenLinux 2.3.0
  • Caldera OpenLinux 2.4.0
  • Caldera OpenLinux Server 3.1.0
  • Caldera OpenLinux Workstation 3.1.0
  • Conectiva Linux 4.0.0
  • Conectiva Linux 4.0.0 es
  • Conectiva Linux 4.1.0
  • Conectiva Linux 4.2.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux ecommerce
  • Conectiva Linux graficas
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • EnGarde Secure Linux 1.0.1
  • Immunix Immunix OS 7+
  • Linux kernel 2.2.0
  • Linux kernel 2.2.1
  • Linux kernel 2.2.10
  • Linux kernel 2.2.11
  • Linux kernel 2.2.12
  • Linux kernel 2.2.13
  • Linux kernel 2.2.14
  • Linux kernel 2.2.15
  • Linux kernel 2.2.16
  • Linux kernel 2.2.17
  • Linux kernel 2.2.18
  • Linux kernel 2.2.19
  • Linux kernel 2.2.2
  • Linux kernel 2.2.3
  • Linux kernel 2.2.4
  • Linux kernel 2.2.5
  • Linux kernel 2.2.6
  • Linux kernel 2.2.7
  • Linux kernel 2.2.8
  • Linux kernel 2.2.9
  • Linux kernel 2.4.10
  • Linux kernel 2.4.2
  • Linux kernel 2.4.3
  • Linux kernel 2.4.7
  • Linux kernel 2.4.8
  • Linux kernel 2.4.9
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 6.0.0
  • MandrakeSoft Linux Mandrake 6.1.0
  • MandrakeSoft Linux Mandrake 7.0.0
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Single Network Firewall 7.2.0
  • RedHat Enterprise Linux AS 2.1
  • RedHat Enterprise Linux AS 2.1 IA64
  • RedHat Enterprise Linux ES 2.1
  • RedHat Enterprise Linux ES 2.1 IA64
  • RedHat Enterprise Linux WS 2.1
  • RedHat Enterprise Linux WS 2.1 IA64
  • RedHat Linux 6.0.0
  • RedHat Linux 6.0.0 alpha
  • RedHat Linux 6.0.0 sparc
  • RedHat Linux 6.1.0 alpha
  • RedHat Linux 6.1.0 i386
  • RedHat Linux 6.1.0 sparc
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.0.0 sparc
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 alpha
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat kernel-2.4.7-10.i386.rpm
  • RedHat kernel-2.4.7-10.i686.rpm
  • RedHat kernel-BOOT-2.4.7-10.i386.rpm
  • RedHat kernel-doc-2.4.7-10.i386.rpm
  • RedHat kernel-headers-2.4.7-10.i386.rpm
  • RedHat kernel-source-2.4.7-10.i386.rpm
  • S.u.S.E. Linux 6.0.0
  • S.u.S.E. Linux 6.1.0
  • S.u.S.E. Linux 6.1.0 alpha
  • S.u.S.E. Linux 6.3.0
  • S.u.S.E. Linux 6.3.0 alpha
  • S.u.S.E. Linux 6.3.0 ppc
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 ppc
  • S.u.S.E. Linux 7.0.0
  • S.u.S.E. Linux 7.1.0
  • S.u.S.E. Linux 7.2.0
  • S.u.S.E. Linux 7.3.0
  • SCO eDesktop 2.4.0
  • SCO eServer 2.3.1
  • Slackware Linux 4.0.0
  • Slackware Linux 7.0.0
  • Slackware Linux 7.1.0
  • Sun Cobalt Qube 3
  • Sun Cobalt RaQ 4
  • Sun Cobalt RaQ XTR
  • Sun Linux 5.0.0
  • Sun Linux 5.0.3
  • Sun Linux 5.0.5
  • Trustix Secure Linux 1.1.0
  • Trustix Secure Linux 1.2.0
  • Trustix Secure Linux 1.5.0
  • WireX Immunix OS 6.2.0
  • WireX Immunix OS 7.0.0
  • WireX Immunix OS 7.0.0 -Beta

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.