[15378] in bugtraq
Re: local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Firstname Lastname)
Fri Jun 16 15:27:49 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000615222516.A20333@boehm.org>
Date: Thu, 15 Jun 2000 22:25:17 +0200
Reply-To: typo@SCENE.AT
From: Firstname Lastname <typo@SCENE.AT>
X-To: Peter da Silva <peter@SCARYDEVIL.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200006151544.KAA0000009515@grendel.eng.baileynm.com>
On Thu, Jun 15, 2000 at 10:44:07AM -0500, Peter da Silva wrote:
> This isn't as bad as a buffer overflow on stack,
> because it's almost impossible to exploit for anything but
> a DOS attack, but it's easy to avoid:
>
> header = malloc(sizeof (cap_user_header_t) );
> data = malloc(sizeof (cap_user_data_t) );
nope. both sizeof()'s will always return 4 (on 32 bit architectures).
(see /usr/include/linux/capability.h:
typedef struct __user_cap_header_struct {
__u32 version;
int pid;
} *cap_user_header_t;
typedef struct __user_cap_data_struct {
__u32 effective;
__u32 permitted;
__u32 inheritable;
} *cap_user_data_t;
)
use this instead:
header = malloc(sizeof (struct __user_cap_header_struct) );
data = malloc(sizeof (struct __user_cap_data_struct) );
> I don't have a recent Linux box to check, but isn't this a system call?
yup
#define __NR_capget 184
#define __NR_capset 185
ciao,
typo
--
so much entropy, so little time
