From xie@www.lids.org Wed Jan 9 16:17:22 2002 From: Huagang Xie To: bugtraq@securityfocus.com Cc: LIDS Mailing List Date: Wed, 9 Jan 2002 11:26:48 -0800 (PST) Subject: LIDS Security Advisory 1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 LIDS Advisory 1 ================ ------------------------------[BUG #1]------------------------- Severity : CRITICAL Discovery : Stealth Original advisory : http://www.team-teso.net/advisories/teso-advisory-012.txt Description : - ------------- The use of LD_PRELOAD can make a program with privileges given by LIDS execute attackers code. This mean that a root intruder can get every capability or fs access you configured LIDS to grant. Moreover, if you granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could deactivate LIDS and thus, access any file. In some configurations, this also lead to users being able to become root. (there must be a program granted CAP_SETUID which is not setuid) Systems affected : - ------------------ Every LIDS patch whose version is lower or equal to 1.1.0 for 2.4 series Every LIDS patch whose version is lower or equal to 0.11.0pre1 for 2.2 series You can find a Little shell script here to see that you are vulnerable : http://www.lids.org/download/test-lids.sh http://www.lids.org/download/test-lids.sh.asc Remember that it's only a silly test that do obvious things and that those tests may fail if it is not run in the context I wanted it to be run. Solution : - ---------- For 2.4 users : http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz.asc For 2.2 users : Use the patch against 0.10.1 : http://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gz http://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gz.asc 0.11.0pre2 version is not vulnerable but it is broken. ------------------------------[BUG #2]------------------------- Severity : CRITICAL Discovery : Phil Description: - ------------ Programs launched before LIDS is sealed keep full CAPS after the sealing. We could imagine a shell code that make a daemon from pre-sealing era deactivate LIDS using CAP_SYS_RAWIO or CAP_SYS_MODULE. Systems affected : ------------------- Same as BUG #1 Solution : ------------------- Same as BUG #1 ------------------------------[BUG #3]------------------------- Severity : CRITICAL Discovery : Stealth Description: - ------------ Program in a shell Script which inherit LIDS capability/acls can be redirect to other evil program using PATH, ALIAS etc. That evil program can also gain that capability/acls from its parent -- the shell script. This bugs is as severity as BUG #1. Systems affected : - ------------------ Same as BUG #1 Solution : - ------------------ Same as BUG #1 - ------------------------------------------------------------------------ LIDS TEAM Jan-9-2002 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8PJLCtTu2CrbvsCgRAo/QAJoCRJe3jrdJ/DN0ph51upEuAyzFywCcCIEK piv8rSX+smCQe7dKttcUAZg= =Wpmc -----END PGP SIGNATURE-----