On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote: > Hi, > > I have just discovered this kernel exploit which allows a local user > to obtain root priviliges. The detailed explanation is given at [1]. > The patch has been apparently fixed in the kernel as of now (according > to the blog post), but that update has not yet come into archlinux. > And while, the /bin/su is fine and is not vulnerable to exploit, > gpasswd is vulnerable and I am able to carry out the exploit on my > computer as of now, using the gpasswd program. The list of programs > that may be vulnerable are given by the following command > > [user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” > -perm -4005; done > > which gives in my system the following list [3] > Wow, I'm really interested in this, how would I go about to modify the shell code to push one of those paths on the stack? AFAICT they don't fit into a qword like /bin/sh, do they? cheers! mar77i
