[KLUG Members] This is a bad one

Jamie McCarthy members@kalamazoolinux.org
Fri, 19 Oct 2001 11:26:26 -0400

Previous message: [KLUG Members] urg.. not again!
Next message: [KLUG Members] This is a bad one
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"According to this mail from Rafal Wojtczuk and a german article
on Heise Online, there's a new severe bug in all Linux Kernels,
from 2.2.0 up to 2.4.10, which allows users to become root on your
system. Kernel 2.4.12 fixes this problem..."

GULP.

http://slashdot.org/article.pl?sid=01/10/19/141229

Actually the mail says "gain root privileges locally (in case of
default install of most popular distributions)" but um, that's bad
enough.

"In order for this flaw to be exploitable, /usr/bin/newgrp must be
setuid root and world-executable. Additionally, newgrp, when run
with no arguments, should not prompt for password. This conditions
are satisfied in case of most popular Linux distributions..."

Using /usr/bin/newgrp is just an example.  As I read the exploit,
it looks like *any* setuid binary can be exploited.  Exploits for
this will probably be in the wild within hours, in my opinion.  I
am extremely worried about a machine I administer that's out on
the net running a 2.2 kernel without a firewall right now;  I will
probably upgrade it to 2.4.12 today.  I would urge any of you in a
similar situation to do the same.  This one's serious.
--
 Jamie McCarthy
 jamie@mccarthy.vg

Previous message: [KLUG Members] urg.. not again!
Next message: [KLUG Members] This is a bad one
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]