Re: Linux kernel ELF core dump privilege elevation

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Linux kernel ELF core dump privilege elevation
From: Bruno Lustosa <bruno.lists@xxxxxxxxx>
Date: Wed, 11 May 2005 16:34:58 -0300
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PniZvZ8k2IiY//WW06LhDcBVqGStVXtMnaYjbPFsLZJQEII7qeVbOlBe4pzPxuOc0ZdIMrqYxpUUxI205Gl5FavcaAnayuQy5852K01/7XTgYCoZ63oFE4ihDX5n0WHHsNypLdy+XZpUnBSP1gxPnsT+GoJ376KlgXQbdwquxkY=
In-reply-to: <Pine.LNX.4.44.0505101615410.1618-100000@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.44.0505101615410.1618-100000@xxxxxxx>
Reply-to: Bruno Lustosa <bruno.lists@xxxxxxxxx>

On 5/11/05, Paul Starzetz <ihaquer@xxxxxxx> wrote:
> since it became clear from the discussion in January about the uselib()
> vulnerability, that the Linux community prefers full, non-embargoed
> disclosure of kernel bugs, I release full details right now. However to
> follows at least some of the responsable disclosure rules, no exploit code 
> will be
> released. Instead, only a proof-of-concept code is released to demonstrate
> the vulnerability.

Paul, I was unable to make it work on my amd64.
Running Gentoo on kernel 2.6.11.
This was the output:

[+] Compiling...elfcd1.c: In function `main':
elfcd1.c:48: warning: implicit declaration of function `strlen'
elfcd1.c:54: warning: implicit declaration of function `memset'
elfcd1.c:60: warning: implicit declaration of function `strcmp'
/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld:
warning: i386:x86-64 architecture of input file `/tmp/ccSCdKeo.o' is
incompatible with i386 output

[+] ./elfcd1 argv_start=0x7ffffffff451 argv_end=0x7ffffffff459  ESP: 0xfffff0e0
[+] phase 1
[+] AAAA argv_start=0x7fffffff6fea argv_end=0x7fffffff6fee  ESP: 0xffff6de0
[+] phase 2, <RET> to crash Segmentation fault (core dumped)

-- 
Bruno Lustosa, aka Lofofora          | Email: bruno@xxxxxxxxxxx
Network Administrator/Web Programmer | ICQ: 1406477
Rio de Janeiro - Brazil              |

Follow-Ups:
- Re: Linux kernel ELF core dump privilege elevation
  - From: codeQ

References:
- Linux kernel ELF core dump privilege elevation
  - From: Paul Starzetz

Prev by Date: Ethereal <= 0.10.10 SIP dissector stack overflow DoS exploit
Next by Date: Re: Authentication bypass, sql injections and xss in ArticleLive 2005
Previous by thread: Linux kernel ELF core dump privilege elevation
Next by thread: Re: Linux kernel ELF core dump privilege elevation
Index(es):
- Date
- Thread