| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1115920373.6287.8.camel@localhost.localdomain> Date: Thu, 12 May 2005 19:52:53 +0200 From: codeQ <newsclient@...mq.info> To: Bruno Lustosa <bruno.lists@...il.com> Cc: bugtraq@...urityfocus.com Subject: Re: Linux kernel ELF core dump privilege elevation I wasn't able to make it work either, getting exactly the same output (without GCC's warnings). I'm on a Debian 2.6.11-7 kernel. I just tested but really didn't even look what it failed, not even gdb'ed the core. If someone notices what's wrong on the POC please, let me know. Thanks, Pablo Fernandez Return-path: <bugtraq-return-19649-newsclient=teamq.info@...urityfocus.com> Envelope-to: newsclient@...mq.info Delivery-date: Wed, 11 May 2005 19:24:47 -0400 Received: from codeq by smoke.securenet-server.net with local-bsmtp (Exim 4.50) id 1DW0ZK-0001Fn-Gy for newsclient@...mq.info; Wed, 11 May 2005 19:24:47 -0400 Received: from [205.206.231.26] (helo=outgoing.securityfocus.com) by smoke.securenet-server.net with esmtp (Exim 4.50) id 1DW0ZK-0001Fd-3X for newsclient@...mq.info; Wed, 11 May 2005 19:24:46 -0400 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for smoke.securenet-server.net [63.247.85.146]) with ESMTP; Wed, 11 May 2005 16:24:54 -0700 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id 5BF761470AD; Wed, 11 May 2005 15:47:18 -0600 (MDT) Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@...urityfocus.com> List-Help: <mailto:bugtraq-help@...urityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com> Delivered-To: mailing list bugtraq@...urityfocus.com Delivered-To: moderator for bugtraq@...urityfocus.com Received: (qmail 26574 invoked from network); 11 May 2005 12:03:46 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PniZvZ8k2IiY//WW06LhDcBVqGStVXtMnaYjbPFsLZJQEII7qeVbOlBe4pzPxuOc0ZdIMrqYxpUUxI205Gl5FavcaAnayuQy5852K01/7XTgYCoZ63oFE4ihDX5n0WHHsNypLdy+XZpUnBSP1gxPnsT+GoJ376KlgXQbdwquxkY= Message-ID: <b9e0c3fe050511123454aa2ada@...l.gmail.com> Date: Wed, 11 May 2005 16:34:58 -0300 From: Bruno Lustosa <bruno.lists@...il.com> Reply-To: Bruno Lustosa <bruno.lists@...il.com> To: bugtraq@...urityfocus.com Subject: Re: Linux kernel ELF core dump privilege elevation In-Reply-To: <Pine.LNX.4.44.0505101615410.1618-100000@...c.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: inline References: <Pine.LNX.4.44.0505101615410.1618-100000@...c.pl> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on smoke.securenet-server.net X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.0.3 Content-Transfer-Encoding: 7bit On 5/11/05, Paul Starzetz <ihaquer@...c.pl> wrote: > since it became clear from the discussion in January about the uselib() > vulnerability, that the Linux community prefers full, non-embargoed > disclosure of kernel bugs, I release full details right now. However to > follows at least some of the responsable disclosure rules, no exploit code will be > released. Instead, only a proof-of-concept code is released to demonstrate > the vulnerability. Paul, I was unable to make it work on my amd64. Running Gentoo on kernel 2.6.11. This was the output: [+] Compiling...elfcd1.c: In function `main': elfcd1.c:48: warning: implicit declaration of function `strlen' elfcd1.c:54: warning: implicit declaration of function `memset' elfcd1.c:60: warning: implicit declaration of function `strcmp' /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: warning: i386:x86-64 architecture of input file `/tmp/ccSCdKeo.o' is incompatible with i386 output [+] ./elfcd1 argv_start=0x7ffffffff451 argv_end=0x7ffffffff459 ESP: 0xfffff0e0 [+] phase 1 [+] AAAA argv_start=0x7fffffff6fea argv_end=0x7fffffff6fee ESP: 0xffff6de0 [+] phase 2, <RET> to crash Segmentation fault (core dumped) -- Bruno Lustosa, aka Lofofora | Email: bruno@...tosa.net Network Administrator/Web Programmer | ICQ: 1406477 Rio de Janeiro - Brazil |
Powered by blists - more mailing lists