-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: kernel kmod/ptrace root exploit Advisory number: CSSA-2003-020.0 Issue date: 2003 May 09 Cross reference: ______________________________________________________________________________ 1. Problem Description The kernel module loader in the Linux kernel allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to linux-kernel-binary-2.4.13-21S.i386.rpm prior to linux-kernel-include-2.4.13-21S.i386.rpm prior to linux-source-UserMode-2.4.13-21S.i386.rpm prior to linux-source-alpha-2.4.13-21S.i386.rpm prior to linux-source-arm-2.4.13-21S.i386.rpm prior to linux-source-common-2.4.13-21S.i386.rpm prior to linux-source-cris-2.4.13-21S.i386.rpm prior to linux-source-i386-2.4.13-21S.i386.rpm prior to linux-source-ia64-2.4.13-21S.i386.rpm prior to linux-source-m68k-2.4.13-21S.i386.rpm prior to linux-source-mips-2.4.13-21S.i386.rpm prior to linux-source-parisc-2.4.13-21S.i386.rpm prior to linux-source-ppc-2.4.13-21S.i386.rpm prior to linux-source-s390-2.4.13-21S.i386.rpm prior to linux-source-sparc-2.4.13-21S.i386.rpm prior to linux-source-superH-2.4.13-21S.i386.rpm OpenLinux 3.1.1 Workstation prior to linux-kernel-binary-2.4.13-21D.i386.rpm prior to linux-kernel-include-2.4.13-21D.i386.rpm prior to linux-source-UserMode-2.4.13-21D.i386.rpm prior to linux-source-alpha-2.4.13-21D.i386.rpm prior to linux-source-arm-2.4.13-21D.i386.rpm prior to linux-source-common-2.4.13-21D.i386.rpm prior to linux-source-cris-2.4.13-21D.i386.rpm prior to linux-source-i386-2.4.13-21D.i386.rpm prior to linux-source-ia64-2.4.13-21D.i386.rpm prior to linux-source-m68k-2.4.13-21D.i386.rpm prior to linux-source-mips-2.4.13-21D.i386.rpm prior to linux-source-parisc-2.4.13-21D.i386.rpm prior to linux-source-ppc-2.4.13-21D.i386.rpm prior to linux-source-s390-2.4.13-21D.i386.rpm prior to linux-source-sparc-2.4.13-21D.i386.rpm prior to linux-source-superH-2.4.13-21D.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-020.0/RPMS 4.2 Packages 41748cdaf8d1809822b131c0c2c7b90a linux-kernel-binary-2.4.13-21S.i386.rpm acaaf0982bd6ad7c945c3a463164b56c linux-kernel-include-2.4.13-21S.i386.rpm 588b015160d3c7e6ca649986de74d923 linux-source-UserMode-2.4.13-21S.i386.rpm f5dbb77015b314909a5242e58a3ac7b9 linux-source-alpha-2.4.13-21S.i386.rpm 7f2472b4958d8b268d87525b29eefeaf linux-source-arm-2.4.13-21S.i386.rpm 80a201cbcb343a3ea565b045f882e1ce linux-source-common-2.4.13-21S.i386.rpm dba74ba0f87828c6f82a98642986e271 linux-source-cris-2.4.13-21S.i386.rpm dd3048b40b323b96335efe17309fb5f3 linux-source-i386-2.4.13-21S.i386.rpm 869c0409318d7a01264c7a7a42b8c51d linux-source-ia64-2.4.13-21S.i386.rpm 7341a22a39014c8a642a91c1cad50a29 linux-source-m68k-2.4.13-21S.i386.rpm e580fc559de6f8788112cce694e58784 linux-source-mips-2.4.13-21S.i386.rpm d2417933a143e47027d0bf00d7d4e96e linux-source-parisc-2.4.13-21S.i386.rpm 917579c9a6520dfb8791821d3e773181 linux-source-ppc-2.4.13-21S.i386.rpm d154580aea946574447b733e7ca09fcb linux-source-s390-2.4.13-21S.i386.rpm 247d115a3ecc81e93af2ae883dcf19ed linux-source-sparc-2.4.13-21S.i386.rpm b5d1ecd0828b87d2a05b0d8044e29ab7 linux-source-superH-2.4.13-21S.i386.rpm 4.3 Installation rpm -Fvh linux-kernel-binary-2.4.13-21S.i386.rpm rpm -Fvh linux-kernel-include-2.4.13-21S.i386.rpm rpm -Fvh linux-source-UserMode-2.4.13-21S.i386.rpm rpm -Fvh linux-source-alpha-2.4.13-21S.i386.rpm rpm -Fvh linux-source-arm-2.4.13-21S.i386.rpm rpm -Fvh linux-source-common-2.4.13-21S.i386.rpm rpm -Fvh linux-source-cris-2.4.13-21S.i386.rpm rpm -Fvh linux-source-i386-2.4.13-21S.i386.rpm rpm -Fvh linux-source-ia64-2.4.13-21S.i386.rpm rpm -Fvh linux-source-m68k-2.4.13-21S.i386.rpm rpm -Fvh linux-source-mips-2.4.13-21S.i386.rpm rpm -Fvh linux-source-parisc-2.4.13-21S.i386.rpm rpm -Fvh linux-source-ppc-2.4.13-21S.i386.rpm rpm -Fvh linux-source-s390-2.4.13-21S.i386.rpm rpm -Fvh linux-source-sparc-2.4.13-21S.i386.rpm rpm -Fvh linux-source-superH-2.4.13-21S.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-020.0/SRPMS 4.5 Source Packages ddc96e148b473b86b63927b489f55404 linux-2.4.13-21S.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-020.0/RPMS 5.2 Packages bd5364e5bf524dbd080e2a734afb47e2 linux-kernel-binary-2.4.13-21D.i386.rpm c7eb0c054673c38181336556b5bc6d96 linux-kernel-include-2.4.13-21D.i386.rpm d8ccf3ed3e5e0851b1d398a5143d4cb9 linux-source-UserMode-2.4.13-21D.i386.rpm 53b4dcb71df1b2390ced22b62deed9ea linux-source-alpha-2.4.13-21D.i386.rpm 0e2f96279a30492ffca3e521449a4771 linux-source-arm-2.4.13-21D.i386.rpm 011bcb383ea9badb519435874173d529 linux-source-common-2.4.13-21D.i386.rpm 876483cc7a9448f2a06e11d8337ad201 linux-source-cris-2.4.13-21D.i386.rpm d89779ea77adf5a8e9f2efb999ae7ce4 linux-source-i386-2.4.13-21D.i386.rpm 49cf9327d4826ca35d22f84788249abd linux-source-ia64-2.4.13-21D.i386.rpm 61a0979d2280ac6ab999ffe64f3b5caf linux-source-m68k-2.4.13-21D.i386.rpm eb3018d64118f872485ed2bc342e7203 linux-source-mips-2.4.13-21D.i386.rpm 7b2b03d3864637b0635e7d57c2a72610 linux-source-parisc-2.4.13-21D.i386.rpm 14148ea7fbcfa4e001919a2caf409384 linux-source-ppc-2.4.13-21D.i386.rpm e8336b89d29093a7d9e3e8d09d1e2b30 linux-source-s390-2.4.13-21D.i386.rpm 00908c06084007713bbcc03aa1ee8233 linux-source-sparc-2.4.13-21D.i386.rpm 4c45777444c8ca91249b757c3984582e linux-source-superH-2.4.13-21D.i386.rpm 5.3 Installation rpm -Fvh linux-kernel-binary-2.4.13-21D.i386.rpm rpm -Fvh linux-kernel-include-2.4.13-21D.i386.rpm rpm -Fvh linux-source-UserMode-2.4.13-21D.i386.rpm rpm -Fvh linux-source-alpha-2.4.13-21D.i386.rpm rpm -Fvh linux-source-arm-2.4.13-21D.i386.rpm rpm -Fvh linux-source-common-2.4.13-21D.i386.rpm rpm -Fvh linux-source-cris-2.4.13-21D.i386.rpm rpm -Fvh linux-source-i386-2.4.13-21D.i386.rpm rpm -Fvh linux-source-ia64-2.4.13-21D.i386.rpm rpm -Fvh linux-source-m68k-2.4.13-21D.i386.rpm rpm -Fvh linux-source-mips-2.4.13-21D.i386.rpm rpm -Fvh linux-source-parisc-2.4.13-21D.i386.rpm rpm -Fvh linux-source-ppc-2.4.13-21D.i386.rpm rpm -Fvh linux-source-s390-2.4.13-21D.i386.rpm rpm -Fvh linux-source-sparc-2.4.13-21D.i386.rpm rpm -Fvh linux-source-superH-2.4.13-21D.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-020.0/SRPMS 5.5 Source Packages 73cad7e5db287a962de14109fa126354 linux-2.4.13-21D.src.rpm 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr876055, fz527562, erg712269, sr876810, fz527692, erg712288. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements Andrzej Szombierski discovered and researched this vulnerability. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj675p4ACgkQbluZssSXDTH0SACfS4TLdcUJwnQDecgSsv3K5zP/ DFEAoNfR6CIWZycMo4u4vOETbSjn7XEe =yS2O -----END PGP SIGNATURE-----