|
|
Subscribe / Log in / New account

Interesting kernel exploit posted

Interesting kernel exploit posted

Posted Dec 8, 2010 12:49 UTC (Wed) by zoobab (guest, #9945)
Parent article: Interesting kernel exploit posted

It works on an Ubuntu 10.10 Maverick machine:

user@machine# cat /proc/version
Linux version 2.6.35-22-generic (buildd@allspice) (gcc version 4.4.5 (Ubuntu/Linaro 4.4.4-14ubuntu4) ) #33-Ubuntu SMP Sun Sep 19 20:32:27 UTC 2010
user@machine# ./exploit
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xffffffffa0117520
[+] Resolved econet_ops to 0xffffffffa0117640
[+] Resolved commit_creds to 0xffffffff810863b0
[+] Resolved prepare_kernel_cred to 0xffffffff81086880
[*] Calculating target...
[*] Failed to set Econet address.
[*] Triggering payload...
[*] Got root!
# whoami
root
#

to post comments

Interesting kernel exploit posted

Posted Dec 8, 2010 13:28 UTC (Wed) by charlieb (guest, #23340) [Link]

> user@machine# ./exploit

So you were root already when running this?

Interesting kernel exploit posted

Posted Dec 8, 2010 15:56 UTC (Wed) by SmittyBoy (guest, #65888) [Link] (3 responses)

[jack@Tecra sandbox]$ gcc exploit.c
[jack@Tecra sandbox]$ ls -ltrc
total 20
-rw-rw-r--. 1 jack jack 5064 Dec 8 16:52 exploit.c
-rwxrwxr-x. 1 jack jack 9344 Dec 8 16:52 a.out
[jack@RASMAS-Tecra sandbox]$ ./a.out
[*] Failed to open file descriptors.

*!*!*!* Didn't get root *!*!*!*

Interesting kernel exploit posted

Posted Dec 8, 2010 16:04 UTC (Wed) by ctg (guest, #3459) [Link] (2 responses)

You need the econet module loaded. Which is pretty obscure. Don't know if the same issue is in other, more common, modules...

Interesting kernel exploit posted

Posted Dec 8, 2010 16:08 UTC (Wed) by nelhage (subscriber, #59579) [Link]

You need the econet module loaded, but most kernels today (including, for instance, nearly all current Ubuntu kernels) will automatically load it if anyone, even an unprivileged user, attempts to create an AF_ECONET socket.

Interesting kernel exploit posted

Posted Dec 8, 2010 17:18 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

The POC as it stands is enough to demonstrate this problem and hopefully get it fixed promptly. Altering it to use other bugs in more widespread code while undoubtedly possible is besides the point unless you're a black hat.

Interesting kernel exploit posted

Posted Dec 9, 2010 5:02 UTC (Thu) by waltercool (guest, #51256) [Link]

I cant reproduce it...

I just get

[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xfc62fba4
[+] Resolved commit_creds to 0xc104356c
[+] Resolved prepare_kernel_cred to 0xc1043879
[*] Failed to resolve kernel symbols.

Using a custom gentoo kernel 2.6.36-r3


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds