lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <41EC8DA7.4060306@gmx.net>
From: evilninja at gmx.net (Christian)
Subject: GNU gcc vuln. < 3.4.3 local root (.php)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Farmer schrieb:
> 
> Old "vulnerability". Equivalent to:
> 
>>> /* fake_vuln.c */
>>> int getuid(void) { return 0; }
>>> int geteuid(void) { return 0; }
>>> int getgid(void) { return 0; }
>>
>>
>> sh % gcc -shared fake_vuln.c -o fake_vuln.so
>> sh % LD_PRELOAD=`pwd`/fake_vuln.so /bin/sh
>> sh # id
>> uid=0(root) gid=0(root) <etc etc etc>
>> sh # cat /etc/shadow
>> cat: /etc/shadow: Permission denied

there is even a package in my linux-distribution for this, called "fakeroot":

evil@...ep:~$ fakeroot
root@...ep:~# whoami
root

- --
BOFH excuse #38:

secretary plugged hairdryer into UPS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB7I2nC/PVm5+NVoYRAo+VAJ46m6C9v61ukMCq8p525h8CxNrGcQCfbqbO
uNmpG/WGygmCtHgGq/fHX48=
=0/7e
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ