Privilege scalation with GNU ld dlopen

[Xavier Garcia <xavi.garcia () gmail com>]

Hi guys,

I am trying to find some ways to gain root access by using the
vulnerability described in the advisory

http://marc.info/?l=full-disclosure&m=128776663124692&w=2

published by Tavis Ormandy.

The advisory states that Cron can be used to scalate privileges,
but Cron does not accept files that are writable by the group or
others, returning the error BAD FILE MODE.

I have been looking for alternative ways to gain root access, but
there are not many places where it is possible.

I have found that Upstart (http://en.wikipedia.org/wiki/Upstart)
does not check the permissions and happily reads the
configuration files every time it restarts. This means that we can
create a configuration file that will instruct Upstart to
drop a root shell :)


The down side is that we have to be patient and wait until the
computer is rebooted, or use some social engineering.


You can find more details at

http://www.shellguardians.com/2010/11/privilege-escalation-with-upstart-and.html


I hope this finding is interesting or usefull for the list.

Regards,

Xavier Garcia

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com