Hi,
I found this one today:
http://securitytracker.com/alerts/2007/Oct/1018782.html
In the git changelog:
http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commit;h=ebbeb2c7ac1b00b608390595783
7a271e80b187e
noone leaves any word about privilege escalation.
Is it really possible to get root privileges with this bug or are there
people who just write "may be used to escalate privileges" near any bug
which has something to do with "setuid" or "setgid"?
Thanks in advance
CU
Manuel
Hello,
Shame on me, but I didn't look carefully at the patch. The patch, of
course, tries to get rid of root privileges and doesn't try to get them.
As I also posted to the wrong list, by accident, lets assume this topic
as closed.
Yours
Manuel Reimer
On Fri, 04 Jan 2008 13:21:32 +0100, Manuel Reimer said:
> Is it really possible to get root privileges with this bug or are there
> people who just write "may be used to escalate privileges" near any bug
> which has something to do with "setuid" or "setgid"?
It looks like it really *is* possible to do some damage, if you can make
several things happen:
1) Cause set[ug]id() to fail, possibly using a crafted 'capabilities' list.
2) Get it to invoke a helper that's now running with different permissions than
it was designed to, and feed said helper some carefully crafted malicious or
bogus data.
Given that it is semantically almost identical to the Sendmail-capabilities
bug from a few years ago, which was *certainly* abusable to get root, it would
be foolish to think anything *except* "this sucker should be assumed to be
a root exploit until *proven* otherwise". Anybody who thinks "I don't see
how to exploit it, so it can't be done" is in for a rude surprise....