Re: Local Root exploit (Fedora Core 4)

From: Joshua Bressers (bressers_at_redhat.com)
Date: 06/23/05

  • Next message: Advisories_at_eeye.com: "eEye Advisory - EEYEB-200505 - RealPlayer AVI Processing Overflow"
    To: "Florian Strankowski (fs)" <florian.s@bildunxxluecke.de>
    Date: Thu, 23 Jun 2005 14:27:43 -0400
    
    

    > Local Root Exploit under Fedora Core 4 (stable) Advisory
    >
    > Florian Strankowski
    > florian.s@bildunxxluecke.de
    > www.bildunxxluecke.de/usr/florian/advisory/advisory-05-048.txt
    >
    > Vulnerable System :
    >
    > This vulnerability affects Fedora Core 4.0 (stable) with
    > the kernelversion 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:53:35 EDT 2005
    > (http://fedora.redhat.com)
    >
    > Vulnerability Title:
    >
    > pwned.c (originally and mods of it)
    >
    >
    >
    > Vulnerability discovery and development:
    >
    > Florian Strankowski discovered this Bug while trying to use
    > a standard sys_uselib for gaining root previlegies under
    > user enviroment in Fedora Core 4.
    > The Bug leads to a poc of gaining access to the /root directory
    > under the Fedora Core 4 System and maybe other ring-0 trees.
    >
    > Affected systems:
    >
    > - Fedora Core 4 (stable,maybe the following (not tested): testing 1, testing
    > 2, testing 3)
    >
    > Vendor notified:
    >
    >
    > Redhat Systems notified but did not publish fix

    To my knowledge the Red Hat Security Response Team received no notification
    of this issue. Please feel free to send all security related information
    to security@redhat.com.

    The bug the attached exploit tries to leverage has been assigned the name
    CAN-2004-1235 by MITRE and to my knowledge has been fixed in the 2.6.11
    kernel. Since Fedora Core 4 contains a variant of the 2.6.11 kernel it
    should not be affected. I did compile then run the exploit with no
    success. If an aspect of this bug has not been correctly fixed, please
    feel free to contact the Red Hat Security Response Team at the above
    address.

    Thanks, Josh

    -- 
    Josh Bressers // Red Hat Security Response Team
    

  • Next message: Advisories_at_eeye.com: "eEye Advisory - EEYEB-200505 - RealPlayer AVI Processing Overflow"

    Relevant Pages