Re: GNU gcc vuln. < 3.4.3 local root (.php)

[Christian <evilninja () gmx net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Farmer schrieb:
> Old "vulnerability". Equivalent to:
>
> > > /* fake_vuln.c */
> > > int getuid(void) { return 0; }
> > > int geteuid(void) { return 0; }
> > > int getgid(void) { return 0; }
> >
> >
> > sh % gcc -shared fake_vuln.c -o fake_vuln.so
> > sh % LD_PRELOAD=`pwd`/fake_vuln.so /bin/sh
> > sh # id
> > uid=0(root) gid=0(root) <etc etc etc>
> > sh # cat /etc/shadow
> > cat: /etc/shadow: Permission denied

there is even a package in my linux-distribution for this, called "fakeroot":

evil@sheep:~$ fakeroot
root@sheep:~# whoami
root

- --
BOFH excuse #38:

secretary plugged hairdryer into UPS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB7I2nC/PVm5+NVoYRAo+VAJ46m6C9v61ukMCq8p525h8CxNrGcQCfbqbO
uNmpG/WGygmCtHgGq/fHX48=
=0/7e
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html