Re: Do people exaggerate in security advisories?
From: Valdis . Kletnieks
Date: Fri Jan 04 2008 - 15:28:23 EST
On Fri, 04 Jan 2008 13:21:32 +0100, Manuel Reimer said:
> Is it really possible to get root privileges with this bug or are there
> people who just write "may be used to escalate privileges" near any bug
> which has something to do with "setuid" or "setgid"?
It looks like it really *is* possible to do some damage, if you can make
several things happen:
1) Cause set[ug]id() to fail, possibly using a crafted 'capabilities' list.
2) Get it to invoke a helper that's now running with different permissions than
it was designed to, and feed said helper some carefully crafted malicious or
bogus data.
Given that it is semantically almost identical to the Sendmail-capabilities
bug from a few years ago, which was *certainly* abusable to get root, it would
be foolish to think anything *except* "this sucker should be assumed to be
a root exploit until *proven* otherwise". Anybody who thinks "I don't see
how to exploit it, so it can't be done" is in for a rude surprise....
Attachment:
pgp00000.pgp
Description: PGP signature