The local privilege escalation from http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html is stopped by selinux targeted policy (both old and reference policy). I used a rhel4 test vm to demonstrate below. This was released yesterday so there is no updated kernel rpm yet. This requires a.out support to exploit, you'll have to grab binfmt_aout.c from the appropriate kernel sources (it isn't shipped with RHEL or Fedora) and use a module makefile to build it, then insert it. Setenforce 0 [jbrindle@rhel4-dev ~]$ id uid=501(jbrindle) gid=502(jbrindle) groups=502(jbrindle) context=user_u:system_r:unconfined_t [jbrindle@rhel4-dev ~]$ ./h00lyshit /bin/ash.static preparing trying to exploit /bin/ash.static sh-3.00# id uid=0(root) gid=502(jbrindle) groups=502(jbrindle) context=user_u:system_r:unconfined_t (may take a few times to get since it's a race, clear your cache between tries) Setenforce 1 [jbrindle@rhel4-dev ~]$ ./h00lyshit /bin/ash.static preparing trying to exploit /bin/ash.static failed: Permission denied All related denials: audit(1152957171.464:5): avc: denied { setattr } for pid=6291 comm="h00lyshit" name="environ" dev=proc ino=412286986 scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=file audit(1152957171.465:6): avc: denied { execute } for pid=6292 comm="h00lyshit" name="environ" dev=proc ino=412286986 scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=file audit(1152957171.467:7): avc: denied { execute_no_trans } for pid=6292 comm="h00lyshit" name="environ" dev=proc ino=412286986 scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=file -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
