Re: Linux kernel exploit
- From: Stefan Roas <sroas@xxxxxxxxx>
- Date: Mon, 13 Dec 2010 23:00:43 +0100
On Fri Dec 10, 2010 at 17:52:37, Wolf wrote:
Well, I'm a first time writer to Bugtraq, but this is interesting. I
commented out the call to clone(), and after it simply called
trigger(fildes), and apparently, it works. Only tested on a stock
install of Ubuntu 10.10, but I thought the bug was in clone()?
No, the bug is not checking address overwrite limit in the do_exit() path,
which migh offer the chance to overwrite an arbitrary memory location. The
clone call in the supplied poc just made sure do_exit() actually accesses
the memory clearing the child tid (using the CLONE_CHILD_CLEARTID). So if
your running process why so ever also had CLONE_CHILD_CLEARTID set it would
trigger the problem as well.
- References:
- Linux kernel exploit
- From: Dan Rosenberg
- Re: Linux kernel exploit
- From: Wolf
- Linux kernel exploit
- Prev by Date: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
- Next by Date: Re: [Full-disclosure] Linux kernel exploit
- Previous by thread: Re: Linux kernel exploit
- Next by thread: Re: [Full-disclosure] Linux kernel exploit
- Index(es):
Relevant Pages
|
