[arch-general] Linux Local Privilege Escalation via SUID /proc/pid/mem Write
Martti Kühne
mysatyre at gmail.com
Wed Jan 25 18:22:07 EST 2012
On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
> Hi,
>
> I have just discovered this kernel exploit which allows a local user
> to obtain root priviliges. The detailed explanation is given at [1].
> The patch has been apparently fixed in the kernel as of now (according
> to the blog post), but that update has not yet come into archlinux.
> And while, the /bin/su is fine and is not vulnerable to exploit,
> gpasswd is vulnerable and I am able to carry out the exploit on my
> computer as of now, using the gpasswd program. The list of programs
> that may be vulnerable are given by the following command
>
> [user at localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p”
> -perm -4005; done
>
> which gives in my system the following list [3]
>
Wow, I'm really interested in this, how would I go about to modify the shell
code to push one of those paths on the stack? AFAICT they don't fit into a
qword like /bin/sh, do they?
cheers!
mar77i
More information about the arch-general
mailing list