2.6 kernel local-user root privilege hole
Alex Hewitt
hewitt_tech at comcast.net
Mon Feb 11 09:31:16 EST 2008
On Mon, 2008-02-11 at 08:11 -0500, Ben Scott wrote:
> On Feb 10, 2008 9:36 PM, Dan Miller <rambi.dev at gmail.com> wrote:
> > I wonder if 64 bit is immune.
>
> I don't understand the details of the code, but I see some
> hard-coded values and a lot of assembler. Many exploits depend on
> things like buffer sizes and offsets, so switching to a different word
> size may mean the code would need to be tweaked. Or maybe vmsplice
> has a completely different implementation on x86-64.
Interestingly I built and ran the code on my Ubuntu 7.10 system. As Bill
stated I got a root terminal window. However, within a couple of minutes
my system froze and I wasn't able to get it's attention again.
Coincidentally the system announced that updates were available and it
was within a few seconds of the update starting that the system went out
to lunch. So I guess it's possible that the exploit trashes one or more
system structures. Still, you could use the root window to elevate the
privileges of an otherwise non-privileged account while the system was
still runnable.
-Alex
>
> -- Ben
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
More information about the gnhlug-discuss
mailing list