| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4F1D26CB.8030709@halfdog.net> Date: Mon, 23 Jan 2012 09:22:19 +0000 From: halfdog <me@...fdog.net> To: "Jason A. Donenfeld" <Jason@...c4.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Linux Local Root -- CVE-2012-0056 -- Detailed Write-up -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Jason, Jason A. Donenfeld wrote: > Hey Mark, > > For the longest time /proc/pid/mem writing was ifdef'd out. Then > for the 2.6.39 kernel release, they deemed that the work they'd > been doing to make the writing interface secure was strong enough, > so they included the ability to write [1]. So versions before > 2.6.39 are not vulnerable, and after it (until 3.3, I guess) are. > Hope this clarifies. Nice writeup. They should have known to comment out is bad thing, they already received exploit demo 2011 when fixing CVE-2011-1020 http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/ If /procc/[pid]/mem would be writeable on standard linux kernels, this program should give local root privilege escalation (SeekHelper.c), e.g. ./SeekHelper /proc/self/mem 8048000 /usr/bin/sudoedit -p xxx /etc/sudoers with a crafted address and promt payload. Currently something else is still blocking in kernel, could be fs/proc/base.c hd > Jason > > [1] > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=198214a7 > > > On Mon, Jan 23, 2012 at 04:09, mark cunningham > <markcunninghamemail@...il.com> wrote: >> Hey great write up on the exploit, sorry for contacting you off >> list. From your post I gather it's only 2.6.39 that's vulnerable >> right? http://security-tracker.debian.org/tracker/CVE-2012-0056 >> is showing that lower versions are "fixed" and just "not >> vulerable" and I coulnd't get it to work with kernel 2.6.32, but >> figured maybe there was a chance it still worked for all of 2.6 >> as i see linus has commited it to 2.6 >> >> Mark >> >> On Sun, Jan 22, 2012 at 6:19 PM, Jason A. >> Donenfeld<Jason@...c4.com> wrote: >>> Hey Everyone, >>> >>> I did a detailed write-up on exploiting CVE-2012-0056 that some >>> of y'all might appreciate. Pretty fun bug to play with -- >>> dup2ing all over the place for the prize of getting to write >>> arbitrary process memory into su :-). >>> >>> The write up is available on my blog here: >>> http://blog.zx2c4.com/749 . Enjoy. >>> >>> Jason >>> >>> _______________________________________________ Full-Disclosure >>> - We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted >>> and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ > - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk8dJr4ACgkQxFmThv7tq+7atgCdFJfx44LdkpdzaOUEDKuB9XHg HSUAoIgEguXSNS0Z30fMjbFBpGb0UYBM =/RcI -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists