| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050330092135.GA14616@box79162.elkhouse.de> Date: Wed Mar 30 10:21:45 2005 From: martin.pitt at canonical.com (Martin Pitt) Subject: CAN-2004-1073 not fixed Hi! Santosh Eraniose [2005-03-29 16:39 +0530]: > On executing the PoC on 2.4.29 and 2.6.11 kernel we initially get > no core dump. The following code introduced to fix another bug, caused > the loading of the interpreter to fail. > [...] > With this change, on executing the PoC on 2.4.29 and 2.6.11, > the core dump contains the suid executable. > We used the strings command to check if the strings in the suid > is present in the core. > > So we find that the vulnerability of reading non-readable > binaries exist in the latest kernel and the vendor provided patch > for CAN-2004-1073 does not fix this vulnerability. Confirmed. I tried this on a security-patched 2.6.8.1 (Ubuntu 4.10) and 2.6.10 (Ubuntu 5.04) kernel. With the modified PoC I was able to read a setuid binary with 4701 permissions on all kernels. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian Developer http://www.debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050330/79ec11af/attachment.bin
Powered by blists - more mailing lists