Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploits Emerge For Linux Privilege Escalation Flaw

Posted by samzenpus on from the protect-ya-neck dept.

angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."

8 of 176 comments (clear)

  1. Re:Local exploit? by Lumpio- · · Score: 5, Informative

    A weak SSH user account/PHP script/whatever + local privilege escalation = instant remote root

  2. Link to more info by milbournosphere · · Score: 5, Informative
    It's a geekier breakdown, but is quite informative.

    http://blog.zx2c4.com/749

    Gets into the memory specifics of the bug. I found it to be far better than the actual article.

  3. Re:Hrrm by Anonymous Coward · · Score: 5, Informative

    I was with you up until Rule #3 which is nonsense.

  4. Debian (mostly) not affected by Trogre · · Score: 5, Informative

    Since this bug was introduced in Linux 2.6.39 Debian Stable (squeeze, Linux 2.6.32) is not affected. Unstable(sid, Linux 3.1) has already been patched, though Testing (wheezy) is still vulnerable.

    More information here

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  5. Simple explanation by Chemisor · · Score: 5, Informative

    There is /proc/pid/mem, a pseudofile referring to the memory of process pid. It has 0600 permissions so you can't write to the memory of other users' processes. The bug occurs when you exec an suid executable and the kernel does not change open fds for /proc/pid/mem. This way, you can open mem, dup it to stderr, and exec su with a garbage parameter. su will duly print an error, quoting the offending parameter, writing to its process memory. With a properly selected shellcode you can get root.

  6. Re:Broken on Android too by bfree · · Score: 3, Informative

    Really? This bug was only present in kernel releases 2.6.39 and newer. Do any Android devices use kernel's based on a Linux this current? A quick search says Android 2.3. used 2.6.35 and 3.0 used 2.6.36 so the number of devices this might possibly help you root looks miniscule.

    --

    Never underestimate the dark side of the Source

  7. Re:Broken on Android too by slack_justyb · · Score: 3, Informative

    Someone has already beaten every one else to the punch.

    However, you need Ice Cream Sandwich and you will need access to a disassembler. Also, you cannot use this exploit for "one-click" root access as the only program that is in the Android stack that runs setuid root, is run-as. That command is statically linked so you will still need adb access so that you can disassemble the program to find it's exit call.

    So there is still a fair amount of work left to be done to make this an exploit that can be used in the "wild" for Android devices. However, as a fair note. A little crowd sourcing to compile a list of offsets for different devices could greatly speed up the process. I'm actually curious if Google will patch this in there kernel.

  8. What'd "//" be ? by aglider · · Score: 4, Informative

    /proc//mem

    is the very wrong quotation!
    The original source quotes instead:

    /proc/<pid>/mem

    which is the memory as seen by a certain process whose PID is <pid>.
    Moreover, there's no "/proc/mem" file and the "//" whould be interpreted as "/".
    But maybe that'd be just the Slashdot editor.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.