Full Disclosure mailing list archives
Re: CAN-2004-1073 not fixed
From: Martin Pitt <martin.pitt () canonical com>
Date: Wed, 30 Mar 2005 11:21:35 +0200
Hi! Santosh Eraniose [2005-03-29 16:39 +0530]:
On executing the PoC on 2.4.29 and 2.6.11 kernel we initially get no core dump. The following code introduced to fix another bug, caused the loading of the interpreter to fail. [...] With this change, on executing the PoC on 2.4.29 and 2.6.11, the core dump contains the suid executable. We used the strings command to check if the strings in the suid is present in the core. So we find that the vulnerability of reading non-readable binaries exist in the latest kernel and the vendor provided patch for CAN-2004-1073 does not fix this vulnerability.
Confirmed. I tried this on a security-patched 2.6.8.1 (Ubuntu 4.10) and 2.6.10 (Ubuntu 5.04) kernel. With the modified PoC I was able to read a setuid binary with 4701 permissions on all kernels. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian Developer http://www.debian.org
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CAN-2004-1073 not fixed Santosh Eraniose (Mar 29)
- Re: CAN-2004-1073 not fixed Martin Pitt (Mar 30)