Re: local root exploit
carlos@tuxsystem:~/security$ ./elflbl
[+] SLAB cleanup
child 1 VMAs 64801
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xd4000000 - 0xe7ff1000
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied)
Killed
carlos@tuxsystem:~/security$ su -
tuxsystem:~# mount -t tmpfs tmpfs /dev/shm
after:
carlos@tuxsystem:~/security$ ./elflbl
[+] SLAB cleanup
child 1 VMAs 605
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xd4000000 - 0xe7ff1000
Wait... \
[-] FAILED: try again (-f switch) and again (Cannot allocate memory)
Killed
system: Debian Woody
Linux version 2.4.28 (root@tuxsystem) (gcc version 2.95.4 20011002
(Debian prerelease)) #2 Fri Nov 19 12:27:33 CLST 2004
Saludos!
On Mon, 10 Jan 2005 15:37:52 +0100, Vladislav Kurz
<vladislav.kurz@webstep.net> wrote:
> On Monday 10 of January 2005 15:29, Jacques Lav!gnotte wrote:
> > On Mon, 10 Jan 2005 15:19:33 +0100
> >
> > Vladislav Kurz <vladislav.kurz@webstep.net> wrote:
> > > mount -t tmpfs tmpfs /dev/shm
> >
> > Only root can do that.
>
> But it can be already mounted, and the exploit can be modified to use any
> writeable directory instead.
>
> >
> > Jacques
>
> --
> Regards
> Vladislav Kurz
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: