Linux Kernel 2.6.17 - 'Sys_Tee' Local Privilege Escalation

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056183 漏洞类型
发布时间 2007-03-05 更新时间 2007-03-05
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/29714
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/22823/info

The Linux kernel is prone to a local privilege-escalation vulnerability.

Exploiting this issue allows local attackers to gain superuser privileges, facilitating the complete compromise of affected computers. 



Linux 2.6.16 -> 2.6.17.6 local root exploit in sys_tee()  
------------------------------------------------------------
*proof that null ptr dereference bugs can be exploited*
------------------------------------------------------------
Bug in fs/splice.c was silently fixed in 2.6.17.7, even though
the SuSE developer who fixed the bug knew it to be a "local DoS"
Changelog stated only: "splice: fix problems with sys_tee()"
On LKML, the user reporting tee() problems said the oops
was at ibuf->ops->get(ipipe, ibuf), where ibuf->ops was NULL
Exploitation is trivial, mmap buffer at address 0, 7th dword
is used as a function pointer by the kernel (the get())
------------------------------------------------------------
May need to run multiple times to catch race.
Exploit does chmod u+s on /bin/bash and disables all LSM modules,
including SELinux.
Code involved with disable_selinux() in tee42-24tee.c should be independent
enough to be plugged into any kernel exploit where you have arbitrary
code execution.
Remember to use /bin/bash -p when executing rootshell
This exploit is *NOT* stealthy.  You'll have to do some serious work
to exploit this bug silently.



https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/29714.tgz