SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I'm asking about that exploit that was publicized a couple of weeks ago. Affects the current Slackware kernel (2.4.28). Allows a local user to get root with ease. Tried it myself. Sure enough, compile this dopey little C program, run it as unpriviliged, and get dumped to root.
Exploit details:[REMOVED BY jlangelier because it works (on my box, anyway) and it's not patched (for slackware) and I don't think the admins want links to exploits. I'll put it back if an admin says I can]
I understand there are patches for some distros. Will these work on the kernels Patrick has compiled? Or is there another reliable source for compiled kernels which are recommended for Slackware?
I know, I can always compile my own. This exploit has inspired me to learn how. I'm still working on it, with less than 100% success. In the meantime, I'm looking for a canned solution.
Thanks in advance.
Last edited by jlangelier; 01-13-2005 at 07:13 PM.
mmmh it seems that /dev/shm is owned by root so to run sucessfully the exploit that
would give me root privilege, I have to know the root password to change /dev/shm
permissions ? All right...let 's do that
I changed /dev/shm in the code to one of my home directories to get it to run.
[LINKS TO ARTICLES ON THE EXPLOIT REMOVED BY jlangelier]
I find this exploit kind of disconcerting and surprising it has not been addressed by the slackware community other than requiring everybody to compile their own unofficial kernel. I don't believe I saw discussion here (and could not find it by searching for it), there was certainly no email from slackware security or from slackgus. I only learned about it on slashdot. Meanwhile the official kernel is still wide open for local users, as confirmed by myself and any number of others.
Red Hat's starting to look good to me.
Last edited by jlangelier; 01-13-2005 at 07:24 PM.
For my part I can't get it to work, even with change the /dev/shm path in source code, I end
always with a Segmentation fault, with any option used I can see with -h. Maybe you could
post how you did it with success on your machine ?
I said I'd post the exact code I compiled, but it is exactly the same as the code posted in the link, except that I changed the /dev directory to my /home.
The first time I tried it (couple of days ago) it worked. Now I tried to re-create it, and it did not work until about the eighth time I tried it, monkeying with the params. Note that even with the params below that I used, it did not work very often but it did ultimately work. One time, it kicked me to the login prompt. I'm sorry I ran it now, because I don't understand the code.
I cp'd /var/log/messages and chown'd it to verify it was'nt just smoke and mirrors. Interesting that when I cp'd messages to ~ it copied it to the /home dir rather than /root, even though I had root permission at the time.
Last edited by jlangelier; 01-13-2005 at 07:48 PM.
Update: I googled on the incident ID from the site which reported the exploit, and it's all over the net. Many distros have patched their kernels (including Sun, Ubuntu and Redhat) but others, including Slackware, have not. I originally posted the link to the demo of the exploit, but removed it because I think that would be against website policy.
But if you don't trust your local users (including ssh and telnet logins, and CGI writers), and run 2.2 all versions, 2.4 up to and including 2.4.29-pre3, 2.6 up to and including 2.6.10 I would upgrade your kernel.
Also note that there was no evidence of going root using this exploit in /var/log/messages, secure, or sulog on my box and none of the commands showed up in the root bash history
Last edited by jlangelier; 01-13-2005 at 07:44 PM.
I'm putting a link to the incident. I searched on the CVE reference ID and found that many distros have patched for this. I am doing this only because I am the only one here who confirms it works, and I don't want to be taken for a hoaxer.
I note that several security sites are still evaluating it. That may be because it does not work on every machine. Even on my box, it took multiple attempts for it to work.
Originally posted by keefaz Please note that I never said you were lying or something similar, I just was very curious
about this and wanted to test.
I know, and I hope I didn't imply that you did. It was just something of a shock to me when it worked for me, and it therefore became a big deal to me, because this has been reported as working for pretty much any distro running those kernels, and not having heard much about it besides that article on Slashdot, I had to wonder what was going on. Thanks for trying and reporting your results.