Re: Linux Local Privilege Escalation via SUID /proc/pid/mem Write

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
> Hi,
> 
> I have just discovered this kernel exploit which allows a local user
> to obtain root priviliges. The detailed explanation is given at [1].
> The patch has been apparently fixed in the kernel as of now (according
> to the blog post), but that update has not yet come into archlinux.
> And while, the /bin/su is fine and is not vulnerable to exploit,
> gpasswd is vulnerable and I am able to carry out the exploit on my
> computer as of now, using the gpasswd program. The list of programs
> that may be vulnerable are given by the following command
> 
> [user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p”
> -perm -4005; done
> 
> which gives in my system the following list [3]
> 


Wow, I'm really interested in this, how would I go about to modify the shell
code to push one of those paths on the stack? AFAICT they don't fit into a
qword like /bin/sh, do they?

cheers!
mar77i


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux