FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 01-24-2012, 04:24 AM
Gaetan Bisson
 
Default Linux Local Privilege Escalation via SUID /proc/pid/mem Write

[2012-01-24 10:41:10 +0530] Jayesh Badwaik:
> I have just discovered this kernel exploit which allows a local user
> to obtain root priviliges. The detailed explanation is given at [1].
> The patch has been apparently fixed in the kernel as of now (according
> to the blog post), but that update has not yet come into archlinux.

Yes it has; that's why linux-3.2.1-2 is out.

--
Gaetan
 
Old 01-24-2012, 04:39 AM
Jayesh Badwaik
 
Default Linux Local Privilege Escalation via SUID /proc/pid/mem Write

On Tue, Jan 24, 2012 at 10:54 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
> [2012-01-24 10:41:10 +0530] Jayesh Badwaik:
>> I have just discovered this kernel exploit which allows a local user
>> to obtain root priviliges. The detailed explanation is given at [1].
>> The patch has been apparently fixed in the kernel as of now (according
>> to the blog post), but that update has not yet come into archlinux.
>
> Yes it has; that's why linux-3.2.1-2 is out.
>
> --
> Gaetan

Ohk, its just that I did not find any notice on the frontpage,
public-dev or general mailing list etc. So, I just posted. Thanks for
the information.

--
-------------------------------------------------------
Cheers
Jayesh Vinay Badwaik
Electronics and Communication Engineering
VNIT, INDIA
-
 
Old 01-24-2012, 10:04 AM
Karol Blazewicz
 
Default Linux Local Privilege Escalation via SUID /proc/pid/mem Write

On Tue, Jan 24, 2012 at 6:39 AM, Jayesh Badwaik
<jayesh.badwaik90@gmail.com> wrote:
> Ohk, its just that I did not find any notice on the frontpage,
> public-dev or general mailing list etc. So, I just posted. Thanks for
> the information.

https://bbs.archlinux.org/viewtopic.php?id=134219
https://bbs.archlinux.org/viewtopic.php?id=134224 (a bit different issue)
:-)
 
Old 01-25-2012, 10:22 PM
Martti Kühne
 
Default Linux Local Privilege Escalation via SUID /proc/pid/mem Write

On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
> Hi,
>
> I have just discovered this kernel exploit which allows a local user
> to obtain root priviliges. The detailed explanation is given at [1].
> The patch has been apparently fixed in the kernel as of now (according
> to the blog post), but that update has not yet come into archlinux.
> And while, the /bin/su is fine and is not vulnerable to exploit,
> gpasswd is vulnerable and I am able to carry out the exploit on my
> computer as of now, using the gpasswd program. The list of programs
> that may be vulnerable are given by the following command
>
> [user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p”
> -perm -4005; done
>
> which gives in my system the following list [3]
>


Wow, I'm really interested in this, how would I go about to modify the shell
code to push one of those paths on the stack? AFAICT they don't fit into a
qword like /bin/sh, do they?

cheers!
mar77i
 
Old 01-26-2012, 01:44 PM
Jayesh Badwaik
 
Default Linux Local Privilege Escalation via SUID /proc/pid/mem Write

On Thu, Jan 26, 2012 at 4:52 AM, Martti Kühne <mysatyre@gmail.com> wrote:
> On Tue, Jan 24, 2012 at 10:41:10AM +0530, Jayesh Badwaik wrote:
>> Hi,
>>
>> I have just discovered this kernel exploit which allows a local user
>> to obtain root priviliges. The detailed explanation is given at [1].
>> The patch has been apparently fixed in the kernel as of now (according
>> to the blog post), but that update has not yet come into archlinux.
>> And while, the /bin/su is fine and is not vulnerable to exploit,
>> gpasswd is vulnerable and I am able to carry out the exploit on my
>> computer as of now, using the gpasswd program. The list of programs
>> that may be vulnerable are given by the following command
>>
>> [user@localhost]$ for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p”
>> -perm -4005; done
>>
>> which gives in my system the following list [3]
>>
>
>
> Wow, I'm really interested in this, how would I go about to modify the shell
> code to push one of those paths on the stack? AFAICT they don't fit into a
> qword like /bin/sh, do they?
>
> cheers!
> mar77i

Sorry, if I misquoted before, I did not *discover*, rather I stumbled
upon on the internet. I realized my flaw, but later I thought the
issue is too widespread for me to be misunderstood. So maybe, you'd be
better off contacting the original author (see the blog, link 1 in my
post).



--
-------------------------------------------------------
Cheers
Jayesh Vinay Badwaik
Electronics and Communication Engineering
VNIT, INDIA
-
 
Old 01-26-2012, 02:10 PM
Martti Khne
 
Default Linux Local Privilege Escalation via SUID /proc/pid/mem Write

On Thu, Jan 26, 2012 at 08:14:52PM +0530, Jayesh Badwaik wrote:
>
> Sorry, if I misquoted before, I did not *discover*, rather I stumbled
> upon on the internet. I realized my flaw, but later I thought the
> issue is too widespread for me to be misunderstood. So maybe, you'd be
> better off contacting the original author (see the blog, link 1 in my
> post).
>
>

So? Do you think no one here understands the whole problem here or could answer
my question? I didn't re to you personally, but to the mailing list, and
somehow expected an answer by someone who is that necessary bit more
knowledgeable than I on this topic, since I'd not be surprised if some of the
people on this list would go ahead and try to hack their linux.

No offense, but I usually don't try to answer questions I don't understand well
enough...

cheers!
mar77i
 

Thread Tools




All times are GMT. The time now is 09:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org