mailing list archives
Re: Linux Local Root -- CVE-2012-0056 -- Detailed Write-up
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Tue, 24 Jan 2012 19:37:39 +0100
On Tue, Jan 24, 2012 at 10:10, Jeffrey Walton <noloader () gmail com> wrote:
Does ptrace defeat -fPIE?
No. When I find the offset via ptrace, I do this in a different /bin/su
than the one I eventually use for injection. This is because when you
ptrace an executable, if it is SUID, it will *drop* its SUIDness if it's
being ptraced. This is an obvious security enhancement. Since ptrace allows
you to write arbitrary memory, if this wasn't in place, then this attack
would have been trivial long ago.
Because I ptrace one /bin/su and inject on another, PIE still deters the
attack, because the addresses will be different each time.
What ptracing does provide over the objdump approach is that it allows you
to determine the offset without having read access to the suid executable,
which is something required for some security conscious distributions, for
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: Linux Local Root -- CVE-2012-0056 -- Detailed Write-up Jeffrey Walton (Jan 23)
Re: Linux Local Root -- CVE-2012-0056 -- Detailed Write-up Jeffrey Walton (Jan 26)
Message not available
Re: Linux Local Root -- CVE-2012-0056 -- Detailed Write-up Jason A. Donenfeld (Jan 23)