Hi! Santosh Eraniose [2005-03-29 16:39 +0530]: > On executing the PoC on 2.4.29 and 2.6.11 kernel we initially get > no core dump. The following code introduced to fix another bug, caused > the loading of the interpreter to fail. > [...] > With this change, on executing the PoC on 2.4.29 and 2.6.11, > the core dump contains the suid executable. > We used the strings command to check if the strings in the suid > is present in the core. > > So we find that the vulnerability of reading non-readable > binaries exist in the latest kernel and the vendor provided patch > for CAN-2004-1073 does not fix this vulnerability.
Confirmed. I tried this on a security-patched 2.6.8.1 (Ubuntu 4.10) and 2.6.10 (Ubuntu 5.04) kernel. With the modified PoC I was able to read a setuid binary with 4701 permissions on all kernels. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian Developer http://www.debian.org
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
