Fwd: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCALROOT EXPLOIT
Adrian Schroeter
adrian at suse.de
Mon Jul 8 07:35:42 BST 2002
On Mon, 8 Jul 2002, Adrian Schroeter wrote:
> On Mon, 8 Jul 2002, Andreas Pour wrote:
> > Adrian Schroeter wrote:
> > >
> > > On Sun, 7 Jul 2002, Waldo Bastian wrote:
> > > > My first impression is that the affected code doesn't run with root privs at
> > > > all, the only thing that could be exploited are the real-time privs IMO (I
> > > > guess that allows for a local DOS)
> > >
> > > Yes, root-permissions are dropped before the sig11 happened. It is not a
> > > security problem, George said the same on IRC yesterday.
> >
> > Hi,
> >
> > The problem is, the root permissions are not irrevocably dropped. When
> > you use "seteuid(getuid())", the very same program can later
> > "seteuid(0)", and restore itself to the root effective uid. So it's
> > just a matter of putting that call into your exploit code. Try the
> > attached to see what I mean.
> >
> > To lose the ability to "return" to the prior effective uid, use
> > setuid(), as the patch does.
Sorry, but the attached patch in Waldos mail does not do that, it only fix
one buffer overflow.
bye
adrian
**********************************************************************
Adrian Schroeter
SuSE AG, Deutschherrnstr. 15-19, 90429 Nuernberg, Germany
email: adrian at suse.de (181 mails already received today.)
More information about the kde-core-devel
mailing list