Re: [Full-disclosure] CAN-2004-1073 not fixed
From: Martin Pitt (martin.pitt_at_canonical.com)
Date: 03/30/05
- Previous message: Mark J Cox: "RE: [Full-disclosure] windows linux final study"
- In reply to: Santosh Eraniose: "[Full-disclosure] CAN-2004-1073 not fixed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Mar 2005 11:21:35 +0200 To: full-disclosure@lists.grok.org.uk
Hi!
Santosh Eraniose [2005-03-29 16:39 +0530]:
> On executing the PoC on 2.4.29 and 2.6.11 kernel we initially get
> no core dump. The following code introduced to fix another bug, caused
> the loading of the interpreter to fail.
> [...]
> With this change, on executing the PoC on 2.4.29 and 2.6.11,
> the core dump contains the suid executable.
> We used the strings command to check if the strings in the suid
> is present in the core.
>
> So we find that the vulnerability of reading non-readable
> binaries exist in the latest kernel and the vendor provided patch
> for CAN-2004-1073 does not fix this vulnerability.
Confirmed.
I tried this on a security-patched 2.6.8.1 (Ubuntu 4.10) and 2.6.10
(Ubuntu 5.04) kernel. With the modified PoC I was able to read a
setuid binary with 4701 permissions on all kernels.
Martin
-- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian Developer http://www.debian.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- application/pgp-signature attachment: Digital signature
- Previous message: Mark J Cox: "RE: [Full-disclosure] windows linux final study"
- In reply to: Santosh Eraniose: "[Full-disclosure] CAN-2004-1073 not fixed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
