Linux-Intrusion Detection System vulnerability
The use of LD_PRELOAD can make a program with privileges given by LIDS execute attackers code. This mean that a root intruder can get every capability or fs access you configured LIDS to grant.Moreover, if you granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could deactivate LIDS and thus, access any file.
LIDS Advisory 1
================
-------------------[BUG #1]-------------------------
Severity : CRITICAL
Discovery : Stealth
Original advisory :
http://www.team-teso.net/advisories/...visory-012.txt
Description :
- -------------
The use of LD_PRELOAD can make a program with privileges given by LIDS execute attackers code. This mean that a root intruder can get every capability or fs access you configured LIDS to grant. Moreover, if you granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could deactivate LIDS and thus, access any file.
In some configurations, this also lead to users being able to become root. (there must be a program granted CAP_SETUID which is not setuid)
Systems affected :
- ------------------
Every LIDS patch whose version is lower or equal to 1.1.0 for 2.4 series Every LIDS patch whose version is lower or equal to 0.11.0pre1 for 2.2 series
You can find a Little shell script here to see that you are vulnerable :
http://www.lids.org/download/test-lids.sh
http://www.lids.org/download/test-lids.sh.asc
Remember that it's only a silly test that do obvious things and that those tests may fail if it is not run in the context I wanted it to be run.
Solution :
- ----------
For 2.4 users :
http://www.lids.org/download/lids-1....-2.4.16.tar.gz
http://www.lids.org/download/lids-1.....16.tar.gz.asc
For 2.2 users :
Use the patch against 0.10.1 :
http://www.lids.org/download/LIDS-se...2.2.20.diff.gz
http://www.lids.org/download/LIDS-se...20.diff.gz.asc
0.11.0pre2 version is not vulnerable but it is broken.
-------------------[BUG #2]-------------------------
Severity : CRITICAL
Discovery : Phil
Description:
- ------------
Programs launched before LIDS is sealed keep full CAPS after the sealing. We could imagine a shell code that make a daemon from pre-sealing era deactivate LIDS using CAP_SYS_RAWIO or CAP_SYS_MODULE.
Systems affected :
-------------------
Same as BUG #1
Solution :
-------------------
Same as BUG #1
-------------------[BUG #3]-------------------------
Severity : CRITICAL
Discovery : Stealth
Description:
- ------------
Program in a shell Script which inherit LIDS capability/acls can be redirect to other evil program using PATH, ALIAS etc. That evil program can also gain that capability/acls from its parent -- the shell script.
This bugs is as severity as BUG #1.
Systems affected :
- ------------------
Same as BUG #1
Solution :
- ------------------
Same as BUG #1
- -----------------