Full Disclosure mailing list archives

Re: CAN-2004-1073 not fixed

From: Martin Pitt <martin.pitt () canonical com>
Date: Wed, 30 Mar 2005 11:21:35 +0200

Hi!

Santosh Eraniose [2005-03-29 16:39 +0530]:

On executing the PoC on 2.4.29 and 2.6.11 kernel we initially get
no core dump. The following code introduced to fix another bug, caused
the loading of the interpreter to fail.
[...]
With this change, on executing the PoC on 2.4.29 and 2.6.11,
the core dump contains the suid executable.
We used the strings command to check if the strings in the suid
is present in the core.

So we find that the vulnerability of reading non-readable
binaries exist in the latest kernel and the vendor provided patch
for CAN-2004-1073 does not fix this vulnerability.


Confirmed.

I tried this on a security-patched 2.6.8.1 (Ubuntu 4.10) and 2.6.10
(Ubuntu 5.04) kernel. With the modified PoC I was able to read a
setuid binary with 4701 permissions on all kernels.

Martin
-- 
Martin Pitt               http://www.piware.de
Ubuntu Developer    http://www.ubuntulinux.org
Debian Developer         http://www.debian.org

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

CAN-2004-1073 not fixed Santosh Eraniose (Mar 29)
- Re: CAN-2004-1073 not fixed Martin Pitt (Mar 30)