[arch-general] Linux Local Privilege Escalation via SUID /proc/pid/mem Write
Jayesh Badwaik
jayesh.badwaik90 at gmail.com
Tue Jan 24 00:11:10 EST 2012
Hi,
I have just discovered this kernel exploit which allows a local user
to obtain root priviliges. The detailed explanation is given at [1].
The patch has been apparently fixed in the kernel as of now (according
to the blog post), but that update has not yet come into archlinux.
And while, the /bin/su is fine and is not vulnerable to exploit,
gpasswd is vulnerable and I am able to carry out the exploit on my
computer as of now, using the gpasswd program. The list of programs
that may be vulnerable are given by the following command
[user at localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p”
-perm -4005; done
which gives in my system the following list [3]
Not all of them work, /bin/su does not work, nor does ping work.
Any news of any kind of update? By the way, here is the patch that is
available for the same [2].
[1] : http://blog.zx2c4.com/749
[2]: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
[3] : /usr/bin/kppp
/usr/bin/gpasswd
/usr/bin/rsh
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/chage
/usr/bin/kwrited
/usr/bin/ksu
/usr/bin/Xorg
/usr/bin/newgrp
/usr/bin/rcp
/usr/bin/expiry
/usr/bin/passwd
/usr/bin/rlogin
/usr/bin/crontab
/bin/fusermount
/bin/traceroute6
/bin/ping6
/bin/umount
/bin/ping
/bin/mount
/bin/traceroute
/bin/su
/sbin/mount.cifs
/sbin/unix_chkpwd
--
-------------------------------------------------------
Cheers
Jayesh Vinay Badwaik
Electronics and Communication Engineering
VNIT, INDIA
-
More information about the arch-general
mailing list