Hi, I have just discovered this kernel exploit which allows a local user to obtain root priviliges. The detailed explanation is given at [1]. The patch has been apparently fixed in the kernel as of now (according to the blog post), but that update has not yet come into archlinux. And while, the /bin/su is fine and is not vulnerable to exploit, gpasswd is vulnerable and I am able to carry out the exploit on my computer as of now, using the gpasswd program. The list of programs that may be vulnerable are given by the following command [user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” -perm -4005; done which gives in my system the following list [3] Not all of them work, /bin/su does not work, nor does ping work. Any news of any kind of update? By the way, here is the patch that is available for the same [2]. [1] : http://blog.zx2c4.com/749 [2]: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc [3] : /usr/bin/kppp /usr/bin/gpasswd /usr/bin/rsh /usr/bin/chsh /usr/bin/chfn /usr/bin/pkexec /usr/bin/chage /usr/bin/kwrited /usr/bin/ksu /usr/bin/Xorg /usr/bin/newgrp /usr/bin/rcp /usr/bin/expiry /usr/bin/passwd /usr/bin/rlogin /usr/bin/crontab /bin/fusermount /bin/traceroute6 /bin/ping6 /bin/umount /bin/ping /bin/mount /bin/traceroute /bin/su /sbin/mount.cifs /sbin/unix_chkpwd -- ------------------------------------------------------- Cheers Jayesh Vinay Badwaik Electronics and Communication Engineering VNIT, INDIA -
