CVS-2006-3626 local privilege escalation stopped by targeted policy
Joshua Brindle
jbrindle at tresys.com
Sat Jul 15 08:07:21 UTC 2006
The local privilege escalation from
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html
is stopped by selinux targeted policy (both old and reference policy). I
used a rhel4 test vm to demonstrate below. This was released yesterday
so there is no updated kernel rpm yet.
This requires a.out support to exploit, you'll have to grab
binfmt_aout.c from the appropriate kernel sources (it isn't shipped with
RHEL or Fedora) and use a module makefile to build it, then insert it.
Setenforce 0
[jbrindle at rhel4-dev ~]$ id
uid=501(jbrindle) gid=502(jbrindle) groups=502(jbrindle)
context=user_u:system_r:unconfined_t
[jbrindle at rhel4-dev ~]$ ./h00lyshit /bin/ash.static
preparing
trying to exploit /bin/ash.static
sh-3.00# id
uid=0(root) gid=502(jbrindle) groups=502(jbrindle)
context=user_u:system_r:unconfined_t
(may take a few times to get since it's a race, clear your cache between
tries)
Setenforce 1
[jbrindle at rhel4-dev ~]$ ./h00lyshit /bin/ash.static
preparing
trying to exploit /bin/ash.static
failed: Permission denied
All related denials:
audit(1152957171.464:5): avc: denied { setattr } for pid=6291
comm="h00lyshit" name="environ" dev=proc ino=412286986
scontext=user_u:system_r:unconfined_t
tcontext=user_u:system_r:unconfined_t tclass=file
audit(1152957171.465:6): avc: denied { execute } for pid=6292
comm="h00lyshit" name="environ" dev=proc ino=412286986
scontext=user_u:system_r:unconfined_t
tcontext=user_u:system_r:unconfined_t tclass=file
audit(1152957171.467:7): avc: denied { execute_no_trans } for
pid=6292 comm="h00lyshit" name="environ" dev=proc ino=412286986
scontext=user_u:system_r:unconfined_t
tcontext=user_u:system_r:unconfined_t tclass=file
More information about the selinux
mailing list