Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Linux Local Root -- CVE-2012-0056 -- Detailed Write-up
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Tue, 24 Jan 2012 19:37:39 +0100

On Tue, Jan 24, 2012 at 10:10, Jeffrey Walton <noloader () gmail com> wrote:

Does ptrace defeat -fPIE?

 No. When I find the offset via ptrace, I do this in a different /bin/su
than the one I eventually use for injection. This is because when you
ptrace an executable, if it is SUID, it will *drop* its SUIDness if it's
being ptraced. This is an obvious security enhancement. Since ptrace allows
you to write arbitrary memory, if this wasn't in place, then this attack
would have been trivial long ago.

Because I ptrace one /bin/su and inject on another, PIE still deters the
attack, because the addresses will be different each time.

What ptracing does provide over the objdump approach is that it allows you
to determine the offset without having read access to the suid executable,
which is something required for some security conscious distributions, for
example, Gentoo.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]