[15401] in bugtraq
Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities
daemon@ATHENA.MIT.EDU (Solar Designer)
Tue Jun 20 14:18:51 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200006172318.DAA01731@false.com>
Date: Sun, 18 Jun 2000 03:18:26 +0400
Reply-To: Solar Designer <solar@FALSE.COM>
From: Solar Designer <solar@FALSE.COM>
X-To: ant9000@NETWISE.IT
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.04.10006151556130.836-100000@chomp.uff.netwise.it>
from Antonio Galea at "Jun 15, 0 05:26:17 pm"
Hello,
[ Disclaimer: I haven't tried any of the modules posted. ]
> > if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
> I've tested this code against smlnx (posted a few days ago by Wojciech
> Purczynski): I got a suid shell and no logging was done.
I am assuming you ran the exploit as a non-root user.
> Adding a check before the 'if' shows that the current uid is 0... has this
> anything to do with the fact that capset is called within a shared library?
No.
It is likely that your kernel was built with SMP support, but you've
compiled the module without -D__SMP__. current is defined differently
for UP and SMP builds, so current->uid might have been referring to
something other than the UID, and it could have happened to be zero.
Just something to be aware of when doing hacks like this.
Signed,
Solar Designer
