Slashdot Mirror

← Back to Stories (view on slashdot.org)

Local Root Exploit in Linux 2.4 and 2.6

Posted by michael on from the without-users-this-wouldn't-be-a-problem dept.

Anonymous Coattails writes "Summary from the advisory: 'Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges.'"

3 of 795 comments (clear)

  1. Copyright Poo Poo by Anonymous Coward · · Score: 5, Interesting

    Read down to the Credits on the link and you see this line:

    Credits:
    ========

    Paul Starzetz has identified the vulnerability and
    performed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF
    INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
    ONE OF THE AUTHORS.

    Did I violate you buy hitting ctrl-c and ctrl-v? Yeah copyrights stink even in free and open source realm. Oh yeah I guess Polly boy has something to put on his resume now as if someone else was going to steal his glory and get away with it.

  2. Re:Failed on RHEL by ericzundel · · Score: 5, Interesting
    Hmm. right after I posted that, it came through on the RH 9 box:
    ./elflbl -n2

    [+] SLAB cleanup
    child 1 VMAs 65527
    child 2 VMAs 65527
    child 3 VMAs 65527
    ...
    child 18 VMAs 63322
    [+] moved stack bfffb000, task_size=0xc0000000, map_base=0xbf800000
    [+] vmalloc area 0xdf800000 - 0xfedbb000
    Wait... \
    [+] race won maps=49205
    expanded VMA (0xbfffc000-0xffffe000)
    [!] try to exploit 0xe2d25000
    [+] gate modified ( 0xffec903c 0x0804ec00 )
    [+] exploited, uid=0

    sh-2.05b#
    --
    ayershome.org/users/eric
  3. isec.pl's guys rule by diegocgteleline.es · · Score: 5, Interesting

    Isec.pl has done a lot for the open source world, they've found lots of vulnerabilities (which is good - vulnerabilities ARE like any other bug):

    Take a look at the impressive curriculum of those guys:
    d_path() truncating excessive long path name vulnerability
    Linux kernel do_brk() lacks argument bound checking
    Linux kernel do_mremap() local privilege escalation vulnerability
    Linux kernel do_mremap VMA limit local privilege escalation vulnerability
    Linux kernel setsockopt MCAST_MSFILTER integer overflow
    Linux kernel file offset pointer races
    Linux ELF loader vulnerabilities
    Linux kernel IGMP vulnerabilities
    Linux kernel scm_send local DoS
    Linux kernel uselib() privilege elevation


    Guess what, they're also the guys who discovered the mozilla hole diclosed today: Heap overflow in Mozilla Browser NNTP code

    Those guys are impressive. In particular, Paul Starzetz is the author in most of those kernel holes, along with a guy called Wojciech. They always contact the kernel maintainers before discosing the vulnerability, etc. Basically, they're having the same effect than a security audit. Except that they're doing it for free, so they deserve respect, I think. And yes, Linux is having too many kernel-level vulnerabilities. More than XP if I'm counting them right. Perhaps someone should offer a job to those guys so they can audit parts of the kernel better.


    (And I can understand that copyright policy - there're people who probably look at those announcements, ctrl+c and ctrl+v and they release their own announcement twisting dates claiming that they're the guys who found it first)