following symlinks created by other users in sticky-bit directories.
This simple restriction successfully prevents exploitation of a majority of
these types of attacks.
Greets to $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/ and #busticati.
Happy hacking,
Dan Rosenberg
@djrbliss on twitter
[1]
http
/*
* Linux Kernel CAP_SYS_ADMIN to root exploit
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc -w caps-to-root.c -o caps-to-root
* sudo setcap cap_sys_admin+ep caps-to-root
* ./caps-to-root
*
* This exploit is NOT stable:
*
* * It only works on 32-bit x86 machines
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -
* This is the interesting one, and the reason
It's funny to me that this should get special attention over any of
the several dozen local DoS vulnerabilities that have been made public
this year, starting with:
CVE-2010-2954: NULL pointer dereference in IRDA
CVE-2010-2960: NULL pointer dereference in keyctl
CVE-2010-3066: NULL pointer
clearly need something far more elite. In order
to
* prove your superiority, your exploit must be as sophisticated as your
taste
* in obscure electronic music. After scanning the kernel source for good
* candidates, you find your target and begin to code...
*
* by Dan Rosenberg
*
* Greets
find your target and begin to code...
*
* by Dan Rosenberg
*
* Greets to kees, taviso, jono, spender, hawkes, and bla
*
*/
#include string.h
#include stdio.h
#include netinet/in.h
#include sys/socket.h
#include unistd.h
#include stdlib.h
#include linux/filter.h
#define PORT 37337
int transfer
/
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Linux RDS Protocol Local Privilege Escalation
Release Date: 2010-10-19
Application: Linux Kernel
Versions: 2.6.30 - 2.6.36-rc8
Severity: High
Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com
Vendor Status: Patch Released [3]
CVE Candidate: CVE-2010
This has already been made public:
http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076294.html
On Ubuntu, xterm is setgid utmp, which might make it an interesting
target for local attacks. However, you'll need to check if it's
already dropped group utmp privileges by the time
that the target program adheres to the syntax [program]
[args] [input file]. Both of these limitations can be easily worked
around. The code is hardly what I'd call production-ready, but it
gets the job done.
The tool is available at:
http://vsecurity.com/resources/tool
Happy hacking,
Dan Rosenberg
, M_WAITOK);
error = copyin(args.pa_socket_name, fmp-pm_socket_name,
args.pa_socket_namelen);
if (error)
==Credits==
This vulnerability was discovered by Dan Rosenberg (dan.j.rosenb...@gmail.com).
==References==
CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.
[1] http
users are
advised to download and recompile from source, or request updated packages from
downstream distributions.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
==Timeline==
5/24/10 - Reported to Exim
5/25/10 - Response from Exim
6/03/10 - Exim
version string is
dpc2100R2-v202r1256-100324as.
To prevent exploitation of CSRF vulnerabilities, users are always encouraged
to practice safe browsing habits and avoid visiting unknown or untrusted
websites.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com
of
Ghostscript or avoid processing untrusted PostScript files.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
==Timeline==
3/04/10 - Initial report to downstream distribution
5/11/10 - Anonymous researcher discloses first issue
5/11/10
vulnerability, I wouldn't consider this a serious
issue by any means, but it's probably something that's worth fixing
eventually.
Happy hacking,
Dan Rosenberg
I just finished a blog post detailing how the popular text editor,
nano, is unsafe to run as root to edit untrusted users' files, with
consequences including full privilege escalation:
http://drosenbe.blogspot.com/2010/03/nano-as-root.html
This is not a disclosure of vulnerabilities per se;
disclosure. In addition, users can
deny service to other users by creating lockfiles for other users' mailboxes.
==Solution==
Users are advised to discontinue use of Deliver in the absence of a patch or
new release from the developer.
==Credits==
These vulnerabilities were discovered by Dan
distributors.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
Thanks to Vitezslav Crhonek for the patch against the first issue.
==References==
CVE identifiers CVE-2010-0788, CVE-2010-0790, and CVE-2010-0791 have been
assigned to these issues.
diff
they become available.
==Credits==
This vulnerability was discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
Thanks to Thibault Godouet for his prompt response and new release.
==References==
CVE identifier CVE-2010-0792 has been assigned to this issue.
18 matches
Mail list logo