NAVIGATION
CATEGORIES
REFERRENCE
LINKS
Linux kernel 0day - dynamite inside,don't burn your fingers
5 answers - 556 bytes -
Fri, 14 Jul 2006 21:35:17 +0100 (BST)
"Joanna R." <h00ly**** (AT) yahoo (DOT) iewrote:
Hello,
attached 0day kernel 2.6 local root exploit. This is a new genuine
bug, unpatched in 2.6.17.4 - don't get confused by prctl inside - it
is only used to change process status.
The code exploits a root race in /proc
have a nice day.
Seg faults on my slackware 2.6.17.4 system
James
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/No.1 | | 808 bytes |
| 
PGP SIGNED MESSAGE
Hash: SHA1
Fri, Jul 14, 2006 at 09:35:17PM +0100, Joanna R. wrote:
Hello,
attached 0day kernel 2.6 local root exploit. This is a new genuine bug,
unpatched in 2.6.17.4 - don't get confused by prctl inside - it is only used to
change process status.
The code exploits a root race in /proc
have a nice day.
"failed: Exec format error" on CS 4.3 (with updates)
- --
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other " - Bill & Ted (Wyld Stallyns)
PGP SIGNATURE
Version: GnuPG v1.4.1 (GNU/Linux)
9sqxwe+EFPdwRgn7CuonHgY=
=ewuu
PGP SIGNATURE
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/No.2 | | 495 bytes |
| Hello,
attached 0day kernel 2.6 local root exploit. This is a new genuine bug, unpatched in 2.6.17.4 - don't get confused by prctl inside - it is only used to change process status.
The code exploits a root race in /proc
have a nice day.
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/No.3 | | 1028 bytes |
| Hello,
Joanna R. wrote:
Hello,
attached 0day kernel 2.6 local root exploit. This is a new genuine
bug, unpatched in 2.6.17.4 - don't get confused by prctl inside - it
is only used to change process status.
Tested on
dan@n-box ~ $ uname -a
Linux n-box 2.6.16-gentoo-r9 #1 Fri Jun 9 16:44:22 CEST 2006 i686
Intel(R) Pentium(R) M processor 2.00GHz GNU/Linux
dan@n-box ~ $ ./h00ly****
preparing
trying to exploit
sh-3.1# id
uid=0(root) gid=100(users) groups=7(lp),10(wheel),18(audio),27(video),35(game s),81(apache),100(users),7353(svnusers)
sh-3.1# whoami
root
sh-3.1#
The code exploits a root race in /proc
So it does :)
have a nice day.
But this means that I've gotta worry about more servers now! Dam it!
And is there a workaround to protect against this attack?
Cheers,
Dan.
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/No.4 | | 1168 bytes |
| Joanna R. wrote:
Hello,
attached 0day kernel 2.6 local root exploit. This is a new genuine bug, unpatched in 2.6.17.4 - don't get confused by prctl inside - it is only used to change process status.
The code exploits a root race in /proc
have a nice day.
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
Works here, at first I got a seg fault then I read into it a little
me@my box:~$ id
uid=1000(me) gid=1000(me)
groups=20(dialout),24(cdrom),25(floppy),29(audio), 44(video),46(plugdev),116(camera),1000(me)
me@my box:~$ ./h00ly**** ./somefile
preparing
trying to exploit ./somefile
sh-3.1# id
uid=0(root) gid=1000(me)
groups=20(dialout),24(cdrom),25(floppy),29(audio), 44(video),46(plugdev),116(camera),1000(me)
sh-3.1# uname -a
Linux 2.6.16 #4 PREEMPT Fri May 26 12:16:11 PDT 2006 i686 GNU/Linux
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/No.5 | | 1518 bytes |
| This doesn't work on Ubuntu 6.06 LTS.
brian@ubuntu:~/tmp$ uname -a
Linux ubuntu 2.6.15-26-386 #1 PREEMPT Fri Jul 7 19:27:00 UTC 2006 i686
GNU/Linuxbrian@ubuntu:~/tmp$ ./a.out
/
preparing
trying to exploit /
sh-3.1$ whoami
brian
7/14/06, I Rodriguez [ackstorm] <irodriguez (AT) ackstorm (DOT) eswrote:
El vie, 14-07-2006 a las 23:55 +0200, Dan B :
Hello,
Joanna R. wrote:
Hello,
attached 0day kernel 2.6 local root exploit. This is a new genuine
bug, unpatched in 2.6.17.4 - don't get confused by prctl inside - it
is only used to change process status.
Tested on 2.6.17.4 - it works
Tested on
dan@n-box ~ $ uname -a
Linux n-box 2.6.16-gentoo-r9 #1 Fri Jun 9 16:44:22 CEST 2006 i686
Intel(R) Pentium(R) M processor 2.00GHz GNU/Linux
dan@n-box ~ $ ./h00ly****
preparing
trying to exploit
sh-3.1# id
uid=0(root) gid=100(users) groups=7(lp),10(wheel),18(audio),27(video),35(game s),81(apache),100(users),7353(svnusers)
sh-3.1# whoami
root
sh-3.1#
--
The code exploits a root race in /proc
So it does :)
have a nice day.
But this means that I've gotta worry about more servers now! Dam it!
And is there a workaround to protect against this attack?
--
Mount /proc as nosuid.
--
Cheers,
Dan.
--
Greetings
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
QUESTION ON "Security"
- Will the real hacker please stand up and raise their hand
- Photocycle v1.0 - XSS
- EEYE: McAfee ePolicy Orchestrator Remote Compromise
- New rootkit detection tool
- Will the real hacker please stand up and raise their hand
- wonder what tools or test was used
- Will the real hacker please stand up and raise their hand
- Backup Errors
- ADS Password Storage Protection
- 70 million computers areusingWindows98rightnow
- rPSA-2006-0122-2 kernel
- Pen-Test as a favor
- Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit( BID 18874 / CVE-2006-245
- 70 million computers are using Windows98rightnow
- 70 million computers are using Windows 98 rightnow
- Fuzzing Microsoft Office
- Pen Test Main Map updated - source .mm now available
- LAMP vs Microsoft
- Securing PHP or finding PHP alternatives (was: PHP security (orthelack thereof))
- Pen Testing Map