On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
Hi,
I have just discovered this kernel exploit which allows a local user to obtain root priviliges. The detailed explanation is given at [1]. The patch has been apparently fixed in the kernel as of now (according to the blog post), but that update has not yet come into archlinux. And while, the /bin/su is fine and is not vulnerable to exploit, gpasswd is vulnerable and I am able to carry out the exploit on my computer as of now, using the gpasswd program. The list of programs that may be vulnerable are given by the following command
[user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” -perm -4005; done
which gives in my system the following list [3]
Wow, I'm really interested in this, how would I go about to modify the shell code to push one of those paths on the stack? AFAICT they don't fit into a qword like /bin/sh, do they? cheers! mar77i