[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42290ED0.17389.7418201@localhost>
Date: Sat, 05 Mar 2005 01:43:44 +0100
From: pageexec@...email.hu
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: PaX privilege elevation security bug
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PaX privilege elevation security bug
Severity: critical
Description: unprivileged users can execute arbitrary code with
the privileges of the target in any program they or
other users can execute
it is definitely exploitable for local users,
remote exploitability depends on how much control
one can have over executable file mappings in the
target
Affected
versions: all releases since 2003 September
(when vma mirroring was introduced)
Affected
configurations: anyone having SEGMEXEC or RANDEXEC (vma mirroring)
in the kernel's .config file
Fixed versions: patches released today, see http://pax.grsecurity.net
Mitigation: echo "0 0" > /proc/sys/vm/pagetable_cache
this will eliminate the obvious exploit vector only,
patching is still unavoidable
Technical details will be posted to the dailydave mailing list,
probably early next week.
This is a spectacular fuckup, it pretty much destroys what PaX has
always stood and been trusted for. For this and other reasons, PaX
will be terminated on 1st April, 2005, a fitting date... Brad Spengler
offered to take it up but if you're interested in helping as well,
contact pageexec@...email.hu.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQikAPJVtI2Y58IG/EQJbjQCfe0KzZvFRQhzIImxBsbaOBvmQOTcAoIwk
0mFNuwmsx2F3efahYd3bU3mT
=yPeF
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists