[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] linux procfs vulnerablity
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] linux procfs vulnerablity
- From: "GroundZero Security" <fd@xxxxxxx>
- Date: Sat, 24 Dec 2005 16:55:55 +0100
Hi !
i tested this bug and it is fact that indeed kernel memory can be leaked.
this leads to priviledge escalation as the encrypted root password is in there.
it could be cracked with john. in the log is more information that could lead
to a full system compromise. nice bug and not hard to code :-)
-sk
Http://www.groundzero-security.com
----- Original Message -----
From: "Karl Janmar" <karl@xxxxxxxxxxxxxxxxxxxx>
To: "coderman" <coderman@xxxxxxxxx>
Cc: <full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Saturday, December 24, 2005 6:00 AM
Subject: Re: [Full-disclosure] linux procfs vulnerablity
> The arch is x86 and I ignore the rest of your comments, maybe you have to
> think
> a little more?
>
> - karl
>
> coderman wrote:
> > On 12/23/05, Karl Janmar <karl@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> >>...
> >>I have found one flaw in Linux procfs code that make the kernel disclose
> >>memory.
> >
> >
> > i'd love to see you exploit this! rly!
> >
> >
> >
> >>fs/proc/proc_misc.c:74
> >>...
> >>if (len <= off+count) *eof = 1;
> >>...
> >>off is a off_t and count is a int.
> >
> >
> > what arch? on intel assign a s32 to int? the sky is falling...
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/