January 10, 2002

LIDS: Escalated privileges vulnerability

Author: JT Smith

LIDS.org: "The use of LD_PRELOAD can make a program with privileges given by LIDS
execute attackers code. This mean that a root intruder can get every
capability or fs access you configured LIDS to grant. Moreover, if you
granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could
deactivate LIDS and thus, access any file."
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

LIDS Advisory 1   TEXT Version  ================
- -----------------------------[BUG #1]-------------------------
Severity : CRITICAL
Discovery : Stealth
Original advisory : http://www.team-teso.net/advisories/teso-advisory-012.txt

Description :
- -------------

The use of LD_PRELOAD can make a program with privileges given by LIDS
execute attackers code. This mean that a root intruder can get every
capability or fs access you configured LIDS to grant. Moreover, if you
granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could
deactivate LIDS and thus, access any file.

In some configurations, this also lead to users being able to become root.
(there must be a program granted CAP_SETUID which is not setuid)

Systems affected :
- ------------------

Every LIDS patch whose version is lower or equal to 1.1.0 for 2.4 series
Every LIDS patch whose version is lower or equal to 0.11.0pre1 for 2.2 series

You can find a Little shell script here to see that you are vulnerable :
http://www.lids.org/download/test-lids.sh http://www.lids.org/download/test-lids.sh.asc 

Remember that it's only a silly test that do obvious things and that those
tests may fail if it is not run in the context I wanted it to be run.

Solution :
- ----------

For 2.4 users :
http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gzhttp://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz.asc

For 2.2 users :
Use the patch against 0.10.1 :
http://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gzhttp://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gz.asc

0.11.0pre2 version is not vulnerable but it is broken.
- -----------------------------[BUG #2]-------------------------
Severity : CRITICAL
Discovery : Phil (pbi at cartel-info dot fr)

Description:
- ------------
Programs launched before LIDS is sealed keep full CAPS after the sealing.
We could imagine a shell code that make a daemon from pre-sealing era
deactivate LIDS using CAP_SYS_RAWIO or CAP_SYS_MODULE.

Systems affected :
- ------------------
Same as BUG #1

Solution :
- ------------------
Same as BUG #1
- -----------------------------[BUG #3]-------------------------
Severity : CRITICAL
Discovery : Stealth

Description:
- ------------
Program in a shell Script which inherit LIDS capability/acls can be redirect
to other evil program using PATH, ALIAS etc. That evil program can also gain
that capability/acls from its parent -- the shell script. 


Systems affected :
- ------------------
Same as BUG #1

Solution :
- ------------------
Same as BUG #1

- ------------------------------------------------------------------------

LIDS TEAM 
Jan-9-2002

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see  http://www.gnupg.org

iD8DBQE8PJLCtTu2CrbvsCgRAo/QAJoCRJe3jrdJ/DN0ph51upEuAyzFywCcCIEK
piv8rSX+smCQe7dKttcUAZg=
=Wpmc
-----END PGP SIGNATURE-----

Category:

  • Linux
Click Here!