Linux Kernel 2.6.17 - 'Sys_Tee' Local Privilege Escalation

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056183 漏洞类型
发布时间 2007-03-05 更新时间 2007-03-05
漏洞平台 Linux CVSS评分 N/A

The Linux kernel is prone to a local privilege-escalation vulnerability.

Exploiting this issue allows local attackers to gain superuser privileges, facilitating the complete compromise of affected computers. 

Linux 2.6.16 -> local root exploit in sys_tee()  
*proof that null ptr dereference bugs can be exploited*
Bug in fs/splice.c was silently fixed in, even though
the SuSE developer who fixed the bug knew it to be a "local DoS"
Changelog stated only: "splice: fix problems with sys_tee()"
On LKML, the user reporting tee() problems said the oops
was at ibuf->ops->get(ipipe, ibuf), where ibuf->ops was NULL
Exploitation is trivial, mmap buffer at address 0, 7th dword
is used as a function pointer by the kernel (the get())
May need to run multiple times to catch race.
Exploit does chmod u+s on /bin/bash and disables all LSM modules,
including SELinux.
Code involved with disable_selinux() in tee42-24tee.c should be independent
enough to be plugged into any kernel exploit where you have arbitrary
code execution.
Remember to use /bin/bash -p when executing rootshell
This exploit is *NOT* stealthy.  You'll have to do some serious work
to exploit this bug silently.