[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
- To: Ariel Biener <ariel@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
- From: Jon Hart <jhart@xxxxxxxxxxx>
- Date: Wed, 12 Jul 2006 20:10:22 -0700
On Thu, Jul 13, 2006 at 01:23:10AM +0300, Ariel Biener wrote:
> On Wednesday 12 July 2006 03:15, Roman Medina-Heigl Hernandez wrote:
>
> Ignore my previous post, it does create a setuid bash version in /tmp/sh, the
> reason it doesn't work is due to SELinux contexts.
This is an important note, IMO. While the original advisory states
that only kernels >= 2.6.13 and <= 2.6.17.4 are vulnerable, it looks
like, somehow, the same vulnerable code is present in patched Redhat
kernels. The previous poster had a 2.6.9 version, and I've just
verified that 2.6.9-11.ELsmp (provided with RH EL 4 update 1) is also
vulnerable.
If this is the case of backporting, this should come as no surprise. If
it is not a backport issue, what vulnerability is being exploited on
these supposedly older kernels?
-jon
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/