[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Linux Local Root -- CVE-2012-0056 -- Detailed Write-up
- To: "Jason A. Donenfeld" <Jason@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Linux Local Root -- CVE-2012-0056 -- Detailed Write-up
- From: halfdog <me@xxxxxxxxxxx>
- Date: Mon, 23 Jan 2012 09:22:19 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Jason,
Jason A. Donenfeld wrote:
> Hey Mark,
>
> For the longest time /proc/pid/mem writing was ifdef'd out. Then
> for the 2.6.39 kernel release, they deemed that the work they'd
> been doing to make the writing interface secure was strong enough,
> so they included the ability to write [1]. So versions before
> 2.6.39 are not vulnerable, and after it (until 3.3, I guess) are.
> Hope this clarifies.
Nice writeup. They should have known to comment out is bad thing, they
already received exploit demo 2011 when fixing CVE-2011-1020
http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/
If /procc/[pid]/mem would be writeable on standard linux kernels, this
program should give local root privilege escalation (SeekHelper.c),
e.g. ./SeekHelper /proc/self/mem 8048000 /usr/bin/sudoedit -p xxx
/etc/sudoers with a crafted address and promt payload. Currently
something else is still blocking in kernel, could be fs/proc/base.c
hd
> Jason
>
> [1]
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=198214a7
>
>
>
On Mon, Jan 23, 2012 at 04:09, mark cunningham
> <markcunninghamemail@xxxxxxxxx> wrote:
>> Hey great write up on the exploit, sorry for contacting you off
>> list. From your post I gather it's only 2.6.39 that's vulnerable
>> right? http://security-tracker.debian.org/tracker/CVE-2012-0056
>> is showing that lower versions are "fixed" and just "not
>> vulerable" and I coulnd't get it to work with kernel 2.6.32, but
>> figured maybe there was a chance it still worked for all of 2.6
>> as i see linus has commited it to 2.6
>>
>> Mark
>>
>> On Sun, Jan 22, 2012 at 6:19 PM, Jason A.
>> Donenfeld<Jason@xxxxxxxxx> wrote:
>>> Hey Everyone,
>>>
>>> I did a detailed write-up on exploiting CVE-2012-0056 that some
>>> of y'all might appreciate. Pretty fun bug to play with --
>>> dup2ing all over the place for the prize of getting to write
>>> arbitrary process memory into su :-).
>>>
>>> The write up is available on my blog here:
>>> http://blog.zx2c4.com/749 . Enjoy.
>>>
>>> Jason
>>>
>>> _______________________________________________ Full-Disclosure
>>> - We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted
>>> and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8dJr4ACgkQxFmThv7tq+7atgCdFJfx44LdkpdzaOUEDKuB9XHg
HSUAoIgEguXSNS0Z30fMjbFBpGb0UYBM
=/RcI
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/