Exploits Emerge For Linux Privilege Escalation Flaw

angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."

Re:Local exploit?

[Lumpio-]

A weak SSH user account/PHP script/whatever + local privilege escalation = instant remote root

Link to more info

[milbournosphere]

It's a geekier breakdown, but is quite informative.

http://blog.zx2c4.com/749

Gets into the memory specifics of the bug. I found it to be far better than the actual article.

Re:Hrrm

I was with you up until Rule #3 which is nonsense.

Debian (mostly) not affected

[Trogre]

Since this bug was introduced in Linux 2.6.39 Debian Stable (squeeze, Linux 2.6.32) is not affected. Unstable(sid, Linux 3.1) has already been patched, though Testing (wheezy) is still vulnerable.

More information here

Simple explanation

[Chemisor]

There is /proc/pid/mem, a pseudofile referring to the memory of process pid. It has 0600 permissions so you can't write to the memory of other users' processes. The bug occurs when you exec an suid executable and the kernel does not change open fds for /proc/pid/mem. This way, you can open mem, dup it to stderr, and exec su with a garbage parameter. su will duly print an error, quoting the offending parameter, writing to its process memory. With a properly selected shellcode you can get root.

What'd "//" be ?

[aglider]

/proc//mem

is the very wrong quotation!
The original source quotes instead:

/proc/<pid>/mem

which is the memory as seen by a certain process whose PID is <pid>.
Moreover, there's no "/proc/mem" file and the "//" whould be interpreted as "/".
But maybe that'd be just the Slashdot editor.