[arch-general] Linux Local Privilege Escalation via SUID /proc/pid/mem Write
Jayesh Badwaik
jayesh.badwaik90 at gmail.com
Thu Jan 26 09:44:52 EST 2012
On Thu, Jan 26, 2012 at 4:52 AM, Martti Kühne <mysatyre at gmail.com> wrote:
> On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
>> Hi,
>>
>> I have just discovered this kernel exploit which allows a local user
>> to obtain root priviliges. The detailed explanation is given at [1].
>> The patch has been apparently fixed in the kernel as of now (according
>> to the blog post), but that update has not yet come into archlinux.
>> And while, the /bin/su is fine and is not vulnerable to exploit,
>> gpasswd is vulnerable and I am able to carry out the exploit on my
>> computer as of now, using the gpasswd program. The list of programs
>> that may be vulnerable are given by the following command
>>
>> [user at localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p”
>> -perm -4005; done
>>
>> which gives in my system the following list [3]
>>
>
>
> Wow, I'm really interested in this, how would I go about to modify the shell
> code to push one of those paths on the stack? AFAICT they don't fit into a
> qword like /bin/sh, do they?
>
> cheers!
> mar77i
Sorry, if I misquoted before, I did not *discover*, rather I stumbled
upon on the internet. I realized my flaw, but later I thought the
issue is too widespread for me to be misunderstood. So maybe, you'd be
better off contacting the original author (see the blog, link 1 in my
post).
--
-------------------------------------------------------
Cheers
Jayesh Vinay Badwaik
Electronics and Communication Engineering
VNIT, INDIA
-
More information about the arch-general
mailing list