Dave Jones has continued his system call fuzzing
experiments and has found some more interesting kernel holes. "One of the things the fuzzer does is to pass random file descriptors to syscalls that expect them. At first, it generated a few itself on startup by creating a bunch of files. I changed this to open any files that were readable/writable from sysfs, procfs and /dev. It prints out what it managed to open on startup. I immediately noticed something that stood out like a sore thumb.
/sys/kernel/debug/acpi/custom_method was world writable. As this file allows a user to upload new ACPI tables to the kernel, this is a fairly obvious local root. Thankfully debugfs isnt mounted by default on most systems.
to post comments)