oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-4699: Linux ptrace bug

From: Solar Designer <solar () openwall com>
Date: Sun, 6 Jul 2014 00:36:27 +0400
On Sat, Jul 05, 2014 at 10:25:50PM +0200, Yves-Alexis Perez wrote:

On dim., 2014-07-06 at 00:20 +0400, Solar Designer wrote:

On Sat, Jul 05, 2014 at 09:58:15PM +0200, Yves-Alexis Perez wrote:

And the system is usable after that.


Yet both are vulnerable, with privilege escalation likely possible.


Yes, sorry if my initial answer was suggesting the kernels were not
vulnerable.


No, I was just clarifying for others.  You do actually have all kernels
listed as vulnerable here:

https://security-tracker.debian.org/tracker/CVE-2014-4699


It was just that we didn't managed to make them crash on the
few boxes we tried on.


I think the "Kernel panic - not syncing: Machine halted" is actually
unexpected.  The PoC isn't meant to crash the machine, although as we've
seen it might.  It's meant to test whether the issue is triggerable, and
if it is we should assume that a real exploit may do more (including
both DoS and privilege escalation).

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: