Re: linux procfs vulnerablity

["GroundZero Security" <fd () g-0 org>]

Hi !

i tested this bug and it is fact that indeed kernel memory can be leaked.
this leads to priviledge escalation as the encrypted root password is in there.
it could be cracked with john. in the log is more information that could lead
to a full system compromise. nice bug and not hard to code :-)

-sk
Http://www.groundzero-security.com

----- Original Message ----- 
From: "Karl Janmar" <karl () utopiafoundation org>
To: "coderman" <coderman () gmail com>
Cc: <full-disclosure () lists grok org uk>
Sent: Saturday, December 24, 2005 6:00 AM
Subject: Re: [Full-disclosure] linux procfs vulnerablity


> The arch is x86 and I ignore the rest of your comments, maybe you have to think 
> a little more?
>
> - karl
>
> coderman wrote:
> > On 12/23/05, Karl Janmar <karl () utopiafoundation org> wrote:
> >
> > > ...
> > > I have found one flaw in Linux procfs code that make the kernel disclose memory.
> >
> >
> > i'd love to see you exploit this! rly!
> >
> >
> >
> > > fs/proc/proc_misc.c:74
> > > ...
> > > if (len <= off+count) *eof = 1;
> > > ...
> > > off is a off_t and count is a int.
> >
> >
> > what arch?  on intel assign a s32 to int? the sky is falling...
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/