On Thu, Jan 26, 2012 at 4:52 AM, Martti Kühne <mysatyre@xxxxxxxxx> wrote: > On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote: >> Hi, >> >> I have just discovered this kernel exploit which allows a local user >> to obtain root priviliges. The detailed explanation is given at [1]. >> The patch has been apparently fixed in the kernel as of now (according >> to the blog post), but that update has not yet come into archlinux. >> And while, the /bin/su is fine and is not vulnerable to exploit, >> gpasswd is vulnerable and I am able to carry out the exploit on my >> computer as of now, using the gpasswd program. The list of programs >> that may be vulnerable are given by the following command >> >> [user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” >> -perm -4005; done >> >> which gives in my system the following list [3] >> > > > Wow, I'm really interested in this, how would I go about to modify the shell > code to push one of those paths on the stack? AFAICT they don't fit into a > qword like /bin/sh, do they? > > cheers! > mar77i Sorry, if I misquoted before, I did not *discover*, rather I stumbled upon on the internet. I realized my flaw, but later I thought the issue is too widespread for me to be misunderstood. So maybe, you'd be better off contacting the original author (see the blog, link 1 in my post). -- ------------------------------------------------------- Cheers Jayesh Vinay Badwaik Electronics and Communication Engineering VNIT, INDIA -
