Bugtraq mailing list archives
Re: Linux kernel ELF core dump privilege elevation
From: antoine <antoine () nagafix co uk>
Date: Thu, 12 May 2005 02:46:47 +0100
Paul, I failed to crash any of my test machines, x86_86 based systems get the same result as reported by Bruno Lustosa (segfaults), x86 system exit after printing ".. to crash" as do UML x86 systems. SELinux exits with: "[+] phase 2, <RET> to crash Killed" but interestingly do not cause any audit event. I just stumbled upon another bug which does crash systems reliably, it only works on x86_64 (maybe other 64 bit archs?). No CVE, and not sure it can be used for privilege escalation, but it does crash hard: "It is a kernel bug that allows to set non canonical addresses in 64bit segment registers through ptrace." Andi Kleen on LKML. It is being worked on. The (accidental) code that triggered it is contained in a UML instance (kernel + filesystem and commands) - too big and suboptimal to be published here and much smaller PoC code is doable. Antoine On Wed, 2005-05-11 at 13:08 +0200, Paul Starzetz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, since it became clear from the discussion in January about the uselib() vulnerability, that the Linux community prefers full, non-embargoed disclosure of kernel bugs, I release full details right now. However to follows at least some of the responsable disclosure rules, no exploit code will be released. Instead, only a proof-of-concept code is released to demonstrate the vulnerability. regards - -- Paul Starzetz iSEC Security Research http://isec.pl/ Synopsis: Linux kernel ELF core dump privilege elevation
(...)
Current thread:
- Linux kernel ELF core dump privilege elevation Paul Starzetz (May 11)
- Re: Linux kernel ELF core dump privilege elevation Bruno Lustosa (May 11)
- Re: Linux kernel ELF core dump privilege elevation codeQ (May 13)
- Re: Linux kernel ELF core dump privilege elevation Greg KH (May 11)
- Re: Linux kernel ELF core dump privilege elevation Greg KH (May 11)
- Re: Linux kernel ELF core dump privilege elevation Paul Starzetz (May 11)
- Re: Linux kernel ELF core dump privilege elevation (kernel module workaround) Andrew Griffiths (May 12)
- Re: Linux kernel ELF core dump privilege elevation antoine (May 12)
- Re: Linux kernel ELF core dump privilege elevation Pedro Venda (May 13)
- Re: Linux kernel ELF core dump privilege elevation Bruno Lustosa (May 11)