Forgot your password?
typodupeerror
Security Linux

Exploits Emerge For Linux Privilege Escalation Flaw 176

Posted by samzenpus
from the protect-ya-neck dept.
angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."
This discussion has been archived. No new comments can be posted.

Exploits Emerge For Linux Privilege Escalation Flaw

Comments Filter:
  • Re:Local exploit? (Score:5, Informative)

    by Lumpio- (986581) on Wednesday January 25, 2012 @07:12PM (#38823483)
    A weak SSH user account/PHP script/whatever + local privilege escalation = instant remote root
  • Link to more info (Score:5, Informative)

    by milbournosphere (1273186) on Wednesday January 25, 2012 @07:15PM (#38823511)
    It's a geekier breakdown, but is quite informative.

    http://blog.zx2c4.com/749

    Gets into the memory specifics of the bug. I found it to be far better than the actual article.

  • Re:Hrrm (Score:5, Informative)

    by Anonymous Coward on Wednesday January 25, 2012 @07:41PM (#38823747)
    I was with you up until Rule #3 which is nonsense.
  • by Trogre (513942) on Wednesday January 25, 2012 @07:43PM (#38823769) Homepage

    Since this bug was introduced in Linux 2.6.39 Debian Stable (squeeze, Linux 2.6.32) is not affected. Unstable(sid, Linux 3.1) has already been patched, though Testing (wheezy) is still vulnerable.

    More information here [debian.org]

  • Simple explanation (Score:5, Informative)

    by Chemisor (97276) on Wednesday January 25, 2012 @08:49PM (#38824241)

    There is /proc/pid/mem, a pseudofile referring to the memory of process pid. It has 0600 permissions so you can't write to the memory of other users' processes. The bug occurs when you exec an suid executable and the kernel does not change open fds for /proc/pid/mem. This way, you can open mem, dup it to stderr, and exec su with a garbage parameter. su will duly print an error, quoting the offending parameter, writing to its process memory. With a properly selected shellcode you can get root.

  • by bfree (113420) on Wednesday January 25, 2012 @09:32PM (#38824513)
    Really? This bug was only present in kernel releases 2.6.39 and newer. Do any Android devices use kernel's based on a Linux this current? A quick search says Android 2.3. used 2.6.35 and 3.0 used 2.6.36 so the number of devices this might possibly help you root looks miniscule.
  • by slack_justyb (862874) on Thursday January 26, 2012 @12:57AM (#38825545)
    Someone has already beaten every one else to the punch. [github.com]

    However, you need Ice Cream Sandwich and you will need access to a disassembler. Also, you cannot use this exploit for "one-click" root access as the only program that is in the Android stack that runs setuid root, is run-as. That command is statically linked so you will still need adb access so that you can disassemble the program to find it's exit call.

    So there is still a fair amount of work left to be done to make this an exploit that can be used in the "wild" for Android devices. However, as a fair note. A little crowd sourcing to compile a list of offsets for different devices could greatly speed up the process. I'm actually curious if Google will patch this in there kernel.
  • What'd "//" be ? (Score:5, Informative)

    by aglider (2435074) on Thursday January 26, 2012 @03:48AM (#38826219) Homepage

    /proc//mem

    is the very wrong quotation!
    The original source [techworld.com.au] quotes instead:

    /proc/<pid>/mem

    which is the memory as seen by a certain process whose PID is <pid>.
    Moreover, there's no "/proc/mem" file and the "//" whould be interpreted as "/".
    But maybe that'd be just the Slashdot editor.

The sooner you fall behind, the more time you have to catch up.

Working...