Linux ptrace race condition allows a local attacker to gain root privileges

linux-ptrace-race-condition (7311)

High Risk

Description:

The ptrace program in some Linux distributions is vulnerable to a race condition that could allow a local attacker to gain root privileges. If ptrace is running in the background and a setuid root binary program (such as newgrp which executes a shell) is executed, a local attacker can execute arbitrary code on the system to gain root privileges.

Platforms Affected:

• Conectiva, Linux 5.0
• Conectiva, Linux 5.1
• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux ecommerce
• Conectiva, Linux prg_graficos
• HP, Secure OS 1.0
• Immunix, Immunix OS 6.2
• Immunix, Immunix OS 7.0
• Linux, Kernel 2.2.0
• Linux, Kernel 2.2.1
• Linux, Kernel 2.2.10
• Linux, Kernel 2.2.11
• Linux, Kernel 2.2.12
• Linux, Kernel 2.2.13
• Linux, Kernel 2.2.14
• Linux, Kernel 2.2.15
• Linux, Kernel 2.2.16
• Linux, Kernel 2.2.17
• Linux, Kernel 2.2.18
• Linux, Kernel 2.2.19
• Linux, Kernel 2.2.2
• Linux, Kernel 2.2.3
• Linux, Kernel 2.2.4
• Linux, Kernel 2.2.5
• Linux, Kernel 2.2.6
• Linux, Kernel 2.2.7
• Linux, Kernel 2.2.8
• Linux, Kernel 2.2.9
• Linux, Kernel 2.4.10
• Linux, Kernel 2.4.2
• Linux, Kernel 2.4.3
• Linux, Kernel 2.4.7
• Linux, Kernel 2.4.8
• Linux, Kernel 2.4.9
• MandrakeSoft, Mandrake Linux 7.1
• MandrakeSoft, Mandrake Linux 7.2
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
• MandrakeSoft, Mandrake Single Network Firewall 7.2
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• SCO, Caldera OpenLinux 2.3
• SCO, Caldera OpenLinux eBuilder
• SCO, Caldera OpenLinux eDesktop 2.4
• SCO, Caldera OpenLinux eServer 2.3.1
• SCO, Caldera OpenLinux Server 3.1
• SCO, Caldera OpenLinux Workstation 3.1
• SuSE, SuSE Linux 6.3
• SuSE, SuSE Linux 6.4
• SuSE, SuSE Linux 7.0
• SuSE, SuSE Linux 7.1
• SuSE, SuSE Linux 7.2
• SuSE, SuSE Linux 7.3
• Trustix, Secure Linux 1.01
• Trustix, Secure Linux 1.1
• Trustix, Secure Linux 1.2
• Trustix, Secure Linux 1.5

Remedy:

For Caldera OpenLinux 2.3:
Upgrade to the latest Linux kernel package (2.2.10-13 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2001-036.0. See References.

For Caldera OpenLinux eServer 2.3.1 and eBuilder:
Upgrade to the latest Linux kernel package (2.2.14-12S or later), as listed in Caldera International, Inc. Security Advisory CSSA-2001-036.0. See References.

For Caldera OpenLinux eDesktop 2.4:
Upgrade to the latest Linux kernel package (2.2.14-8 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2001-036.0. See References.

For Caldera OpenLinux Server 3.1:
Upgrade to the latest Linux kernel package (2.4.2-13S or later), as listed in Caldera International, Inc. Security Advisory CSSA-2001-036.0. See References.

For Caldera OpenLinux Workstation 3.1:
Upgrade to the latest Linux kernel package (2.4.2-13D or later), as listed in Caldera International, Inc. Security Advisory CSSA-2001-036.0. See References.

For Trustix Secure Linux 1.01, 1.1, 1.2, and 1.5:
Upgrade to the latest Linux kernel package (2.2.19-6tr or later), as listed in Trustix Secure Linux Security Advisory #2001-0028. See References.

For EnGarde Secure Linux 1.0.1:
Upgrade to the latest Linux kernel package (2.2.19-1.0.20 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20011019-02. See References.

For Immunix OS 7.0:
Upgrade to the latest Linux kernel package (2.2.19-8_imnx or later), as listed in Immunix OS Security Advisory IMNX-2001-70-035-01. See References.

For Red Hat Linux 7.1:

Upgrade to the Linux kernel package (2.4.9-6 or later), as listed in RHSA-2001:129-05. See References.

For Conectiva Linux 5.0, prg graficos, ecommerce, 5.1, 6.0, and 7.0:
Upgrade to the latest Linux kernel package (2.2.19 or later), as listed in Conectiva Linux Security Annoucement CLA-2001:432. See References.

For SuSE Linux 6.3, 6.4, 7.0, 7.1, 7.2, and 7.3:
Upgrade to the appropriate Linux kernel package, by following the instructions listed in SuSE Security Announcement SuSE-SA:2001:036. See References.

For systems running HP Secure OS software for Linux Release 1.0:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBTL0112-003. See References.

For Mandrake Linux 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1, and Single Network Firewall 7.2:
Upgrade to the latest Linux kernel package (2.2.19 or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:082-1 : kernel. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

• BugTraq Mailing List, Thu Oct 18 2001 - 12:35:40 CDT, Flaws in recent Linux kernels at http://archives.neohapsis.com/archives/bugtraq/2001-10/0135.html.
• Caldera International, Inc. Security Advisory CSSA-2001-036.0, Linux - several linux kernel security problems at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2001-036.0.txt.
• Conectiva Linux Announcement CLSA-2001:432, kernel at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000432.
• EnGarde Secure Linux Security Advisory ESA-20011019-02, kernel at http://mail-archives.engardelinux.org/engarde-users/2001/Oct/0311.html.
• Hewlett-Packard Company Security Bulletin HPSBTL0112-003, Security vulnerabilities in the kernel at http://online.securityfocus.com/advisories/3713. (From SecurityFocus archive.)
• Immunix OS Security Advisory IMNX-2001-70-035-01, kernel-2.2.19 at http://archives.neohapsis.com/archives/bugtraq/2001-10/0165.html.
• SuSE Security Announcement SuSE-SA:2001:036, kernel at http://www.suse.com/de/security/2001_036_kernel_txt.html.
• Trustix Secure Linux Security Advisory TSLSA-2001-0028, kernel at http://www.trustix.net/errata/2001/0028/.
• BID-3447: Linux Ptrace/Setuid Exec Vulnerability
• BID-5466: HP Secure OS For Linux PTrace / IOCTL Unauthorized Process Access Vulnerability
• CVE-2001-1384: ptrace in Linux 2.2.x through 2.2.19, and 2.4.x through 2.4.9, allows local users to gain root privileges by running ptrace on a setuid or setgid program that itself calls an unprivileged program, such as newgrp.
• MDKSA-2001:079: Disable devfs due to local root compromise
• MDKSA-2001:079-1: Updated kernel 2.4 packages fix multiple insecurities
• MDKSA-2001:079-2: Updated kernel 2.4 packages fix multiple insecurities
• MDKSA-2001:082: Updated kernel 2.2 packages fix two local vulnerabilities
• MDKSA-2001:082-1: Updated kernel 2.2 packages fix additional remote vulnerability
• RHSA-2001-129: New kernel 2.4 packages are available
• RHSA-2001-129-7.2: New kernel 2.4 packages are available for Red Hat 7.2
• RHSA-2001-130: New kernel 2.2 packages are available

Reported:

Oct 18, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page