And *another* 0-day Linux kernel vulnerability
And if we didn't have enough for this weekend, an exploit for another Linux kernel privilege escalation vulnerability has been posted.
The exploit seems to be working on all 2.6.x kernels and is not related to the previous exploit we've written about.
From limited testing we've done so far, SELinux is blocking this exploit successfully, so the exploit didn't work on RedHat Enterprise Linux 4 machines we've tested this on.
Also, the published exploit depends on the a.out support in the kernel (the CONFIG_BINFMT_AOUT has to be set), but the vulnerability can be exploited no matter if a.out is supported or not.
Update: (JAC 2006-07-15 15:50 UTC) - We've spent some more time working with this one and I've had it work intermittently on both fully-patched SuSE 9.3 and 10.0 (kernel 2.6.11.4 and 2.6.13 respectively). I haven't had the time yet to figure out why it works sometimes and not others, but I'll try to keep looking into it this afternoon. One of the key things that jumps out from looking at exploit code is that this appears to require that /proc be mounted suid. Several folks have said that if /proc is mounted nosuid, the exploit fails. I haven't yet tried it and I'm not sure what else this might break, but it is a possible work-around.
The exploit seems to be working on all 2.6.x kernels and is not related to the previous exploit we've written about.
From limited testing we've done so far, SELinux is blocking this exploit successfully, so the exploit didn't work on RedHat Enterprise Linux 4 machines we've tested this on.
Also, the published exploit depends on the a.out support in the kernel (the CONFIG_BINFMT_AOUT has to be set), but the vulnerability can be exploited no matter if a.out is supported or not.
Update: (JAC 2006-07-15 15:50 UTC) - We've spent some more time working with this one and I've had it work intermittently on both fully-patched SuSE 9.3 and 10.0 (kernel 2.6.11.4 and 2.6.13 respectively). I haven't had the time yet to figure out why it works sometimes and not others, but I'll try to keep looking into it this afternoon. One of the key things that jumps out from looking at exploit code is that this appears to require that /proc be mounted suid. Several folks have said that if /proc is mounted nosuid, the exploit fails. I haven't yet tried it and I'm not sure what else this might break, but it is a possible work-around.
Keywords:
0 comment(s)
My next class:
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
×
Diary Archives
Comments