User: Password:
|
|
Subscribe / Log in / New account

Spengler: False Boundaries and Arbitrary Code Execution

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 6, 2011 16:48 UTC (Thu) by nye (guest, #51576)
Parent article: Spengler: False Boundaries and Arbitrary Code Execution

Some of these capabilities seem so obviously and trivially equivalent to having uid 0 that I wonder if I'm missing something. For example, in what cases would CAP_SET_UID or CAP_CHOWN be useful? Surely you may as well be running as root already.


(Log in to post comments)

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 6, 2011 17:49 UTC (Thu) by unBrice (subscriber, #72229) [Link]

You might be inside a chroot-like and only have access to your own files on a filesystem mounted with nosuid,…

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 6, 2011 19:24 UTC (Thu) by spender (subscriber, #23067) [Link]

chroot doesn't matter: in 2002 I wrote in the French MISC magazine 11 ways to break out of a chroot jail. One of them applies here: chroot doesn't matter if you have CAP_SETUID, in fact CAP_SETUID is basically equivalent to CAP_SYS_PTRACE. If i can change to any UID, then I can effectively ptrace any process (including those running outside of the chroot) giving me full control of the host system.

-Brad

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 7, 2011 8:23 UTC (Fri) by job (guest, #670) [Link]

Is this article online?

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 7, 2011 11:38 UTC (Fri) by Aissen (guest, #59976) [Link]

I found it here, but it's in french:
http://www.touslesreseaux.com/forum/index.php?showtopic=40

Funny, I think I might still have the magazine (Misc 9) in a box somewhere…

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 11, 2011 14:29 UTC (Tue) by job (guest, #670) [Link]

"Page non trouvée". (404)

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 11, 2011 14:52 UTC (Tue) by Aissen (guest, #59976) [Link]

Seems like I made someone remember about this installed forum, and the article in it by linking to it.

But webarchive still has it:
http://web.archive.org/web/20080609074507/http://www.tous...

Also, a quick pastebin of the text & html versions of the article:
http://pastebin.com/kjCqFnv1


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds