Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - simple workaround

[Jon Hart <jhart () spoofed org>]

On Thu, Jul 13, 2006 at 09:57:05PM -0700, Kyle Lutze wrote:
> it seems that this relies on /etc/cron.d being there? or is it specific
> to a crond? I use fcron which doesn't use /etc/cron.d and I have been
> unable to get the exploit to successfully work. 2.6.14 kernel
>
> sh: /tmp/sh: No such file or directory
>
> I'm running gentoo-sources without selinux or anything else special for
> security. I tried changing it to cron.daily just to test and that
> doesn't work either.

This particular vulnerability allows you to write core files as root in
any directory that you have permission to be in.  This particular
*exploit* works by arranging the code such that when the core dump
happens, a valid cron entry will appear in the dump and, in turn, get
executed as root within the next minute when crond scans /etc/cron.d for
jobs.

Think of exploiting this vulnerablity this way -- you can write a file
as root in any directory that you have permission to chdir to.  The
contents are not totally controlled by you, but you do have fairly good
control over certain portions of that file. Furthermore, you do not have
control over the filename.  Get creative.

Looking at fcron, I'm not sure there is a way to leverage this
vulnerability to gain root, though I could be wrong.

Other ways of exploiting this?  /etc/logrotate.d (logrotate), perhaps...

-jon

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/