[Full-disclosure] CAN-2004-1073 not fixed
martin.pitt at canonical.com
Wed Mar 30 10:21:35 BST 2005
Santosh Eraniose [2005-03-29 16:39 +0530]:
> On executing the PoC on 2.4.29 and 2.6.11 kernel we initially get
> no core dump. The following code introduced to fix another bug, caused
> the loading of the interpreter to fail.
> With this change, on executing the PoC on 2.4.29 and 2.6.11,
> the core dump contains the suid executable.
> We used the strings command to check if the strings in the suid
> is present in the core.
> So we find that the vulnerability of reading non-readable
> binaries exist in the latest kernel and the vendor provided patch
> for CAN-2004-1073 does not fix this vulnerability.
I tried this on a security-patched 126.96.36.199 (Ubuntu 4.10) and 2.6.10
(Ubuntu 5.04) kernel. With the modified PoC I was able to read a
setuid binary with 4701 permissions on all kernels.
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050330/79ec11af/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.