Exploits Emerge For Linux Privilege Escalation Flaw 176
angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."
Re:Local exploit? (Score:5, Informative)
Link to more info (Score:5, Informative)
http://blog.zx2c4.com/749
Gets into the memory specifics of the bug. I found it to be far better than the actual article.
Re:Hrrm (Score:5, Informative)
Debian (mostly) not affected (Score:5, Informative)
Since this bug was introduced in Linux 2.6.39 Debian Stable (squeeze, Linux 2.6.32) is not affected. Unstable(sid, Linux 3.1) has already been patched, though Testing (wheezy) is still vulnerable.
More information here [debian.org]
Simple explanation (Score:5, Informative)
There is /proc/pid/mem, a pseudofile referring to the memory of process pid. It has 0600 permissions so you can't write to the memory of other users' processes. The bug occurs when you exec an suid executable and the kernel does not change open fds for /proc/pid/mem. This way, you can open mem, dup it to stderr, and exec su with a garbage parameter. su will duly print an error, quoting the offending parameter, writing to its process memory. With a properly selected shellcode you can get root.
Re:Broken on Android too (Score:4, Informative)
Re:Broken on Android too (Score:4, Informative)
However, you need Ice Cream Sandwich and you will need access to a disassembler. Also, you cannot use this exploit for "one-click" root access as the only program that is in the Android stack that runs setuid root, is run-as. That command is statically linked so you will still need adb access so that you can disassemble the program to find it's exit call.
So there is still a fair amount of work left to be done to make this an exploit that can be used in the "wild" for Android devices. However, as a fair note. A little crowd sourcing to compile a list of offsets for different devices could greatly speed up the process. I'm actually curious if Google will patch this in there kernel.
What'd "//" be ? (Score:5, Informative)
is the very wrong quotation!
The original source [techworld.com.au] quotes instead:
which is the memory as seen by a certain process whose PID is <pid>.
Moreover, there's no "/proc/mem" file and the "//" whould be interpreted as "/".
But maybe that'd be just the Slashdot editor.