[SECURITY] Simpleinit root exploit

Matthias Benkmann matthias at winterdrache.de
Sun May 26 10:37:12 PDT 2002


Systems affected:
Systems using simpleinit (from util-linux) or simpleinit-msb

Summary:
A security issue has been discovered in simpleinit that permits a local
(and in some cases even a remote) attacker to execute arbitrary commands
with root privileges.

Details:
An open file descriptor refering to /dev/initctl is inherited by
processes started via bootprog=, finalprog= and ctrlaltdel= lines in
inittab. This file descriptor can be used to send commands to init
(including the command to execute a program). If bootprog, finalprog or
ctrlaltdel specifies a program that accepts data from untrusted sources or
launches a program that accepts data from untrusted sources, this can be
exploited to run an arbitrary program with root permissions.

Usually bootprog, finalprog and ctrlaltdel lines start only trusted
programs (boot scripts) that do not interact with untrusted users. 
There is one common exception, though: xdm 
If xdm or any other program that
allows user logins is started directly or indirectly through bootprog,
finalprog or ctrlaltdel and if that program does not close its file
descriptors, then any user who can successfully log in will inherit the
vulnerable file descriptor.

Notes:
ttylines (the lines that usually start and respawn gettys) are
not affected.
sshd (from openssh-3.1p1) does not seem to be affected, either, even if it
is started by a boot script. It inherits the vulnerable file descriptor
but does not pass it on to the processes it starts.


Workaround:
Do not start xdm or other programs that interact with untrusted users from
the bootprog, finalprog and ctrlaltdel programs and programs started by
these programs.

Fix:
A fixed simpleinit-msb is available at 

http://www.winterdrache.de/linux/newboot/index.html

I don't know when this will be fixed in util-linux. The current version
2.11r is still vulnerable.

MSB


-- 
The early bird gets the worm, but the second mouse gets the cheese.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list