local root exploit confirmed in 2.6.10: Linux 2.6 KernelCapability LSM Module Local Privilege Elevation

From: Lee Revell
Date: Tue Dec 28 2004 - 16:23:13 EST


Frank Barknecht pointed this out on linux-audio-dev, it's a horrible
bug, I confirmed it in 2.6.10, and have not seen it mentioned on the
list.

Executive summary:

run "vim" as normal user. Do ":r /etc/shadow". Permission denied.

do "modprobe capability" as root in another terminal

Do ":r /etc/shadow" again in the same vim. You will be able to read and
write /etc/shadow as normal user.

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-12/0390.html

Lee

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/