Linux Kernel 2.6.17 - 'Sys_Tee' Local Privilege Escalation

EDB-ID:

29714

CVE:

N/A


Platform:

Linux

Published:

2007-03-05

source: http://www.securityfocus.com/bid/22823/info

The Linux kernel is prone to a local privilege-escalation vulnerability.

Exploiting this issue allows local attackers to gain superuser privileges, facilitating the complete compromise of affected computers. 



Linux 2.6.16 -> 2.6.17.6 local root exploit in sys_tee()  
------------------------------------------------------------
*proof that null ptr dereference bugs can be exploited*
------------------------------------------------------------
Bug in fs/splice.c was silently fixed in 2.6.17.7, even though
the SuSE developer who fixed the bug knew it to be a "local DoS"
Changelog stated only: "splice: fix problems with sys_tee()"
On LKML, the user reporting tee() problems said the oops
was at ibuf->ops->get(ipipe, ibuf), where ibuf->ops was NULL
Exploitation is trivial, mmap buffer at address 0, 7th dword
is used as a function pointer by the kernel (the get())
------------------------------------------------------------
May need to run multiple times to catch race.
Exploit does chmod u+s on /bin/bash and disables all LSM modules,
including SELinux.
Code involved with disable_selinux() in tee42-24tee.c should be independent
enough to be plugged into any kernel exploit where you have arbitrary
code execution.
Remember to use /bin/bash -p when executing rootshell
This exploit is *NOT* stealthy.  You'll have to do some serious work
to exploit this bug silently.



https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/29714.tgz