Bugtraq mailing list archives

Re: local root on linux 2.2.15

From: typo () SCENE AT (Firstname Lastname)
Date: Thu, 15 Jun 2000 22:25:17 +0200


On Thu, Jun 15, 2000 at 10:44:07AM -0500, Peter da Silva wrote:

         This isn't as bad as a buffer overflow on stack,
         because it's almost impossible to exploit for anything but
         a DOS attack, but it's easy to avoid:

         header = malloc(sizeof (cap_user_header_t) );
         data = malloc(sizeof (cap_user_data_t) );


nope. both sizeof()'s will always return 4 (on 32 bit architectures).

(see /usr/include/linux/capability.h:
typedef struct __user_cap_header_struct {
        __u32 version;
        int pid;
} *cap_user_header_t;

typedef struct __user_cap_data_struct {
        __u32 effective;
        __u32 permitted;
        __u32 inheritable;
} *cap_user_data_t;
)

use this instead:
  header = malloc(sizeof (struct __user_cap_header_struct) );
  data   = malloc(sizeof (struct __user_cap_data_struct) );

I don't have a recent Linux box to check, but isn't this a system call?


yup
#define __NR_capget             184
#define __NR_capset             185

ciao,
    typo

--
so much entropy, so little time

Current thread:

Re: local root on linux 2.2.15, (continued)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 08)
  - Re: local root on linux 2.2.15 Tomasz Grabowski (Jun 08)
  - Re: local root on linux 2.2.15 Philip Guenther (Jun 08)
    - Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 12)
    - Re: local root on linux 2.2.15 Jeff Dafoe (Jun 14)
    - Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 14)
    - MS-040 'proof of concept' code Renaud Deraison (Jun 13)
- Re: local root on linux 2.2.15 Rogier Wolff (Jun 08)
- Re: local root on linux 2.2.15 Tollef Fog Heen (Jun 11)
  - Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
    - Re: local root on linux 2.2.15 Firstname Lastname (Jun 15)
    - Re: local root on linux 2.2.15 Robert Watson (Jun 18)
    - Net Tools PKI server exploits Jim Stickley (Jun 19)
    - XFree86: libICE DoS Chris Evans (Jun 19)
    - XFree86: Various nasty libX11 holes Chris Evans (Jun 19)
    - XFree86: xdm flaw; present in kdm Chris Evans (Jun 19)
    - XFree86: xdm xdmcp code in wdm also Brian Russo (Jun 20)
    - Re: XFree86: xdm xdmcp code in wdm also Jerome ALET (Jun 20)
    - Problems with "kon2" package Chris Evans (Jun 19)
    - [TL-Security-Announce] Linux Kernel TLSA2000013-1 Roger Luethi (Jun 19)
    - Re: [TL-Security-Announce] Linux Kernel TLSA2000013-1 Gregory Neil Shapiro (Jun 28)

(Thread continues...)