Fwd: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCALROOT EXPLOIT
Adrian Schroeter
adrian at suse.de
Mon Jul 8 07:30:44 BST 2002
On Mon, 8 Jul 2002, Andreas Pour wrote:
> Adrian Schroeter wrote:
> >
> > On Sun, 7 Jul 2002, Waldo Bastian wrote:
> > > My first impression is that the affected code doesn't run with root privs at
> > > all, the only thing that could be exploited are the real-time privs IMO (I
> > > guess that allows for a local DOS)
> >
> > Yes, root-permissions are dropped before the sig11 happened. It is not a
> > security problem, George said the same on IRC yesterday.
>
> Hi,
>
> The problem is, the root permissions are not irrevocably dropped. When
> you use "seteuid(getuid())", the very same program can later
> "seteuid(0)", and restore itself to the root effective uid. So it's
> just a matter of putting that call into your exploit code. Try the
> attached to see what I mean.
>
> To lose the ability to "return" to the prior effective uid, use
> setuid(), as the patch does.
Ergs, you are right ... (I only saw a different patch yesterday, sorry for
confusing).
bye
adrian
**********************************************************************
Adrian Schroeter
SuSE AG, Deutschherrnstr. 15-19, 90429 Nuernberg, Germany
email: adrian at suse.de (177 mails already received today.)
More information about the kde-core-devel
mailing list