local root exploit confirmed in 2.6.10: Linux 2.6 KernelCapability LSM Module Local Privilege Elevation

From: Lee Revell
Date: Tue Dec 28 2004 - 16:23:13 EST

Next message: Håkan Lindqvist: "Re: 2.6.10: e100 network broken after swsusp/resume"
Previous message: Sam Ravnborg: "Re: [patch 0/3] kallsyms: Add gate page and all symbols support"
Next in thread: Lee Revell: "Re: local root exploit confirmed in 2.6.10: Linux 2.6 KernelCapability LSM Module Local Privilege Elevation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Frank Barknecht pointed this out on linux-audio-dev, it's a horrible
bug, I confirmed it in 2.6.10, and have not seen it mentioned on the
list.

Executive summary:

run "vim" as normal user. Do ":r /etc/shadow". Permission denied.

do "modprobe capability" as root in another terminal

Do ":r /etc/shadow" again in the same vim. You will be able to read and
write /etc/shadow as normal user.

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-12/0390.html

Lee

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Håkan Lindqvist: "Re: 2.6.10: e100 network broken after swsusp/resume"
Previous message: Sam Ravnborg: "Re: [patch 0/3] kallsyms: Add gate page and all symbols support"
Next in thread: Lee Revell: "Re: local root exploit confirmed in 2.6.10: Linux 2.6 KernelCapability LSM Module Local Privilege Elevation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]