| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060712193157.1b41110b.advisory@dyadsecurity.com> Date: Thu Jul 13 03:31:38 2006 From: advisory at dyadsecurity.com (advisory) Subject: Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) it would help if the exploit bothered to invoke bash (/bin/sh on almost all linux distros) with -p so that it didnt drop euid root. There are alot of reasons why this shouldnt work on selinux, using a strict policy, other than (file?) contexts. "\n* * * * * root /bin/sh /tmp/commands_to_run_as_root.sh;exit;\n" might work better as a payload. <3 advisory. On Thu, 13 Jul 2006 01:23:10 +0300 Ariel Biener <ariel@...t.tau.ac.il> wrote: > On Wednesday 12 July 2006 03:15, Roman Medina-Heigl Hernandez wrote: > > Ignore my previous post, it does create a setuid bash version in /tmp/sh, the > reason it doesn't work is due to SELinux contexts. > > --Ariel > > Maybe this is obvious for Paul Starzetz (as well as many other people) but > > full-disclosure is not really "full" without exploit code. > > > > Working exploit attached. You can also download it from: > > http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c > > > > Greetz to !dSR ppl :-) > > -- > -- > Ariel Biener > e-mail: ariel@...t.tau.ac.il > PGP: http://www.tau.ac.il/~ariel/pgp.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Jack - jack@...turesecurity.org
Powered by blists - more mailing lists