* richard offer (offerat_private) wrote: > > > * frm gregat_private "09/11/01 13:14:04 -0700" | sed '1,$s/^/* /' > * > * On Tue, Sep 11, 2001 at 09:38:05AM -0700, richard offer wrote: > *> > *> How does this work ? It back-tracks from Stephens separation of function > *> from access control, but it implements an identical code path to pre-LSM. > * > * I don't know, how does this work? > * Have you tried it out against the different ptrace sploits out there? > > The only exploit I could find for 2.4 was fixed by Alan Cox in 2.4.1-ac19, > so the code as I posted this morning works as expected. ie PTRACE_ATTACH: > operation not permitted. > > If you've got any other exploits that you think should be tested, if you > can send me a pointer to the code I'll try them out. i have some exploits i'll send you. iirc, the main race was with the duampable flag. older 2.2.<19 and early 2.4 kernels had a race where the exec on a suid executable didn't turn off the dumpable flag soon enough. so all you have to do is execute a simple program the does an execve() of a program that is suid and not in cache. the race is on... -chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 10:46:41 PDT