While the security industry is making weird statements about
no-more-free-hugs and OSX vs. Windows exploitation fun,
I add my two cents on UNIX exploitation.
There have been two problems in all currently running udevd's
which are shipped on all major Linux distributions. Even if you
install selinux or other hardening mechanisms, you are at risk
(please see above screenshot on a targeted selinux config).
The first problem (CVE-2009-1185) appears since the origin of
KOBJECT_UEVENT messages are not verified, so any user can spoof
messages that udevd takes as granted from kernel. This allows
some trickery to create a device named /dev/random with permission
0666 but major and minor number of your root blockdevice. The rest
is code. Alternatively, CVE-2009-1186 could be exploited
which is a standard stack buffer overflow. Depending on the
configuration of the system CVE-2009-1185 can also be exploited
with weird network interface-names and alike so at the end,
chrooted/jailed or PrivSep'ed users have good chance to get a full rootshell.
Posts
7 comments:
Gimme exploit
Hi,
as all distros have released patches and the exploit has been fixed can you now publish the code you've been using to actually gain root privileges?
it is public vuln why dont u make the exploit public lol ;].
Congratulation, you've found a very nice bug!
Alternatively, you can exploit the remove action instead of add to directly execute shell commands.
Really, just write your own exploit. Releasing it now would not benefit anyone except the script kiddies. You have been given more than enough information to be able to write your own exploit. I know I did...
I'm sure asking for the exploit isn't motivation for publication. Nice work.
This reminds me of a quite old vulnerability in the Zebra routing suite:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0858
Everything new is a well forgotten old?
Post a Comment