Posts

Showing posts from December, 2011

Ubuntu Server Exploit (Local Privilege Escalation)

Image
Today we're gonna talk about an "old" vulnerability discovered by Dan Rosenberg in the linux kernel. This bug affect versions previous than 2.6.38 and permit to an user with low privileges to gain root access. Link to exploit: Linux Kernel<= 2.6.37 Local Privilege Escalation   The text below is taked from exploit description. * This exploit leverages three vulnerabilities to get root, all of which were * discovered by Nelson Elhage: * * CVE-2010-4258 * ------------- * This is the interesting one, and the reason I wrote this exploit. If a * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL * word will be written to a user-specified pointer when that thread exits. * This write is done using put_user(), which ensures the provided destination * resides in valid userspace by invoking access_ok(). However, Nelson * discovered that when the kernel performs an address limit override via * set_fs(KERNEL_DS) and the thread subsequen