[arch-general] Linux Local Privilege Escalation via SUID /proc/pid/mem Write
Hi, I have just discovered this kernel exploit which allows a local user to obtain root priviliges. The detailed explanation is given at [1]. The patch has been apparently fixed in the kernel as of now (according to the blog post), but that update has not yet come into archlinux. And while, the /bin/su is fine and is not vulnerable to exploit, gpasswd is vulnerable and I am able to carry out the exploit on my computer as of now, using the gpasswd program. The list of programs that may be vulnerable are given by the following command [user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” -perm -4005; done which gives in my system the following list [3] Not all of them work, /bin/su does not work, nor does ping work. Any news of any kind of update? By the way, here is the patch that is available for the same [2]. [1] : http://blog.zx2c4.com/749 [2]: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdif... [3] : /usr/bin/kppp /usr/bin/gpasswd /usr/bin/rsh /usr/bin/chsh /usr/bin/chfn /usr/bin/pkexec /usr/bin/chage /usr/bin/kwrited /usr/bin/ksu /usr/bin/Xorg /usr/bin/newgrp /usr/bin/rcp /usr/bin/expiry /usr/bin/passwd /usr/bin/rlogin /usr/bin/crontab /bin/fusermount /bin/traceroute6 /bin/ping6 /bin/umount /bin/ping /bin/mount /bin/traceroute /bin/su /sbin/mount.cifs /sbin/unix_chkpwd -- ------------------------------------------------------- Cheers Jayesh Vinay Badwaik Electronics and Communication Engineering VNIT, INDIA -
[2012-01-24 10:41:10 +0530] Jayesh Badwaik:
I have just discovered this kernel exploit which allows a local user to obtain root priviliges. The detailed explanation is given at [1]. The patch has been apparently fixed in the kernel as of now (according to the blog post), but that update has not yet come into archlinux.
Yes it has; that's why linux-3.2.1-2 is out. -- Gaetan
On Tue, Jan 24, 2012 at 10:54 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2012-01-24 10:41:10 +0530] Jayesh Badwaik:
I have just discovered this kernel exploit which allows a local user to obtain root priviliges. The detailed explanation is given at [1]. The patch has been apparently fixed in the kernel as of now (according to the blog post), but that update has not yet come into archlinux.
Yes it has; that's why linux-3.2.1-2 is out.
-- Gaetan
Ohk, its just that I did not find any notice on the frontpage, public-dev or general mailing list etc. So, I just posted. Thanks for the information. -- ------------------------------------------------------- Cheers Jayesh Vinay Badwaik Electronics and Communication Engineering VNIT, INDIA -
On Tue, Jan 24, 2012 at 6:39 AM, Jayesh Badwaik <jayesh.badwaik90@gmail.com> wrote:
Ohk, its just that I did not find any notice on the frontpage, public-dev or general mailing list etc. So, I just posted. Thanks for the information.
https://bbs.archlinux.org/viewtopic.php?id=134219 https://bbs.archlinux.org/viewtopic.php?id=134224 (a bit different issue) :-)
On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
Hi,
I have just discovered this kernel exploit which allows a local user to obtain root priviliges. The detailed explanation is given at [1]. The patch has been apparently fixed in the kernel as of now (according to the blog post), but that update has not yet come into archlinux. And while, the /bin/su is fine and is not vulnerable to exploit, gpasswd is vulnerable and I am able to carry out the exploit on my computer as of now, using the gpasswd program. The list of programs that may be vulnerable are given by the following command
[user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” -perm -4005; done
which gives in my system the following list [3]
Wow, I'm really interested in this, how would I go about to modify the shell code to push one of those paths on the stack? AFAICT they don't fit into a qword like /bin/sh, do they? cheers! mar77i
On Thu, Jan 26, 2012 at 4:52 AM, Martti Kühne <mysatyre@gmail.com> wrote:
On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
Hi,
I have just discovered this kernel exploit which allows a local user to obtain root priviliges. The detailed explanation is given at [1]. The patch has been apparently fixed in the kernel as of now (according to the blog post), but that update has not yet come into archlinux. And while, the /bin/su is fine and is not vulnerable to exploit, gpasswd is vulnerable and I am able to carry out the exploit on my computer as of now, using the gpasswd program. The list of programs that may be vulnerable are given by the following command
[user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” -perm -4005; done
which gives in my system the following list [3]
Wow, I'm really interested in this, how would I go about to modify the shell code to push one of those paths on the stack? AFAICT they don't fit into a qword like /bin/sh, do they?
cheers! mar77i
Sorry, if I misquoted before, I did not *discover*, rather I stumbled upon on the internet. I realized my flaw, but later I thought the issue is too widespread for me to be misunderstood. So maybe, you'd be better off contacting the original author (see the blog, link 1 in my post). -- ------------------------------------------------------- Cheers Jayesh Vinay Badwaik Electronics and Communication Engineering VNIT, INDIA -
On Thu, Jan 26, 2012 at 08:14:52PM +0530, Jayesh Badwaik wrote:
Sorry, if I misquoted before, I did not *discover*, rather I stumbled upon on the internet. I realized my flaw, but later I thought the issue is too widespread for me to be misunderstood. So maybe, you'd be better off contacting the original author (see the blog, link 1 in my post).
So? Do you think no one here understands the whole problem here or could answer my question? I didn't re to you personally, but to the mailing list, and somehow expected an answer by someone who is that necessary bit more knowledgeable than I on this topic, since I'd not be surprised if some of the people on this list would go ahead and try to hack their linux. No offense, but I usually don't try to answer questions I don't understand well enough... cheers! mar77i
participants (4)
-
Gaetan Bisson
-
Jayesh Badwaik
-
Karol Blazewicz
-
Martti Kühne