Linux 2.6.30+/SELinux/RHEL5 Test Kernel Local Root Exploit 0day(情報元のブックマーク数)
SELinuxにLocal root ExploitのZERO-Dayが出ている模様。SELinuxが有効でもだと、まずいみたい。
/* super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit in /dev/net/tun A vulnerability which, when viewed at the source level, is unexploitable! But which, thanks to gcc optimizations, becomes exploitable :) Also, bypass of mmap_min_addr via SELinux vulnerability! (where having SELinux enabled actually increases your risk against a large class of kernel vulnerabilities) for 2.6.30 without SELinux enabled, compile with: cc -fPIC -fno-stack-protector -shared -o exploit.so exploit.c (on a 64bit system -m64 may be necessary to compile a 64bit .so) cc -o pwnkernel pwnkernel.c then just ./cheddar_bay.sh for 2.6.30 with SELinux enabled, compile with: cc -fno-stack-protector -o exploit exploit.c then just ./exploit for RHEL5 2.6.18 compile with: cc -fno-stack-protector -DRHEL5_SUCKS -o exploit exploit.c then just ./exploit
以下、熊猫さんよりタレコミいただきました、ありがとうございます
http://lkml.org/lkml/2009/7/20/361 の中に説明がありますが、
> With SELinux mapping the 0 page requires an SELinux policy permission,
> mmap_zero. Without SELinux mapping the 0 page requires CAP_SYS_RAWIO.
> Note that CAP_SYS_RAWIO roughly translates to uid=0 since noone really
> does interesting things with capabilities.> But logged in users (by default), under SELinux, are 'unconfined' and
> can by their very nature run their program in a domain that allows
> mmap_zero.