Re: Backport of the integer overflow in the brk system call
On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler wrote:
> Afaik: 2.4.23 contains literally 100s of changes, one of these was a
> small change to do_brk(), which looked like a normal non-critical
> bugfix to everybody involved. Some time later Debian was hacked and
> backtracing how the intruder got superuser privileges revealed that
> that the do_brk() without the "small change" was guilty, it had been
> no simple bug but a local privilege escalation issue.
My understanding is that the do_brk vulnerability allowed access to kernel
address space. It seems a lot of work is needed to move from that freedoom to
spawning a root shell. I'd be interested in seeing a worked example.