Progeny Security Advisory: execve()/ptrace() exploit in Linux kernels prior to 2.2.19

From: Progeny Security Team <security@progeny.com>
Subject: PROGENY-SA-2001-01A: [UPDATE] execve()/ptrace() exploit in
Linux kernels prior to 2.2.19
Date: Tue, 10 Apr 2001 21:41:12 -0500 (EST)

---

PROGENY LINUX SYSTEMS — SECURITY ADVISORY
PROGENY-SA-2001-01A

    Topic:          execve()/ptrace() exploit in Linux kernels prior to
                    2.2.19

    Category:       kernel
    Module:         kernel-image-2.2.*
    Announced:      2001-04-10
    Credits:        Wojciech Purczynski <wp@elzabsoft.pl>
                    BUGTRAQ <BUGTRAQ@securityfocus.com>
                    Solar Designer <solar@openwall.com>
    Affects:        Progeny Debian (Linux kernels prior to 2.2.19)
                    Debian GNU/Linux (Linux kernels prior to 2.2.19)
    Vendor-Status:  New Version Released (kernel 2.2.19)
    Corrected:      2001-04-02

Progeny Only: NO

$Id: PROGENY-SA-2001-01,v 1.13 2001/04/10 23:19:36 laz Exp $

---

UPDATE SYNOPSIS

This is an update to advisory PROGENY-SA-2001-01. The
sources.list line specified in Step 1 of the “UPDATING VIA APT-GET”
section in the previous advisory was incorrect. This advisory fixes
the error.

SYNOPSIS

Linux kernels before 2.2.19 are vulnerable to a local root
exploit.

PROBLEM DESCRIPTION

This vulnerability exploits a race condition in the 2.2.x Linux
kernel within the execve() system call.

By predicting the child-process sleep() within execve(), an
attacker can use ptrace() or similar mechanisms to subvert control
of the child process. If the child process is setuid, the attacker
can cause the child process to execute arbitrary code at an
elevated privilege.

There are also other known lesser security issues with Linux
kernels prior to 2.2.19 which have been noted as fixed in the
solution listed below. Details can be found in the Security Updates
section at:

http://www.linux.org.uk/VERSION/relnotes.2219.html

IMPACT

Local users can use available exploits to gain root
privileges.

SOLUTION

Upgrade to Linux kernel 2.2.19. You may use Progeny’s
kernel-image-2.2.19 package, version 1.81, for convenience.

WORKAROUND

No known workaround exists for this vulnerability.

UPDATING VIA APT-GET

1. Ensure that your /etc/apt/sources.list file has a URI for
   Progeny’s update repository:

deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

Example:

# apt-get update

3. Using apt(8), install the new kernel package. apt(8) will
download

the update, verify it’s integrity with md5, and then install the
package on your system with dpkg(8).

Example:

# apt-get install kernel-image-2.2.19

4. Since this update installs a new kernel, the security fixes
cannot

take effect until you reboot the system. When convenient,
restart your system to start using the new kernel.

Example:

# shutdown -r now

UPDATING VIA DPKG

1. Using your preferred FTP/HTTP client to retrieve the following
   updated files from Progeny’s update archive at:

http://archive.progeny.com/progeny/updates/newton/

Filename MD5 Checksum

---

kernel-image-2.2.19_1.81_i386.deb/ f72c383e22a064ec394cff50a84ab789

Example:

# wget
http://archive.progeny.com/progeny/updates/newton/kernel-image-2.2.19_1.81_i386.deb

2. Use the md5sum command on the retrieved file to verify that
it matches

the md5sum provided in this advisory:

Example:

# md5sum kernel-image-2.2.19_1.81_i386.deb

3. Then install the replacement package(s) using the dpkg
command.

Example:

# dpkg –install kernel-image-2.2.19_1.81_i386.deb

4. Since this update installs a new kernel, the security fixes
cannot take effect until you reboot the system. When convenient,
restart your system to start using the new kernel.

Example:

# shutdown -r now

MORE INFORMATION

Linux kernels 2.4.0 and later are not affected by this
problem.

---

pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>