[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backport of the integer overflow in the brk system call

On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler wrote:
 
> Afaik: 2.4.23 contains literally 100s of changes, one of these was a
> small change to do_brk(), which looked like a normal non-critical
> bugfix to everybody involved. Some time later Debian was hacked and
> backtracing how the intruder got superuser privileges revealed that
> that the do_brk() without the "small change" was guilty, it had been
> no simple bug but a local privilege escalation issue.

Thanks Andreas!

My understanding is that the do_brk vulnerability allowed access to kernel
address space. It seems a lot of work is needed to move from that freedoom to
spawning a root shell. I'd be interested in seeing a worked example.   

-- 
Jon Dowland
http://jon.dowland.name/
Reply to: