[CentOS] local root exploit

Ross S. W. Walker rwalker at medallion.com
Tue Feb 12 03:56:28 UTC 2008


Matthew Miller wrote:
> 
> On Mon, Feb 11, 2008 at 06:00:14PM -0500, Ross S. W. Walker wrote:
> > > > I wonder if any existing user-land utilities have hooks into
> > > > vmsplice that may be able to be accessed via PHP, Perl, or CGI?
> > > It's a system call.
> > Yes, but conceivable an application can make use of such a system
> > call since it is exploitable from user land and hence the concern.
> 
> Well, the point is there's nothing wrong with the system call 
> *inherently*.
> There's just a flaw in its implementation which a 
> carefully-crafted program
> can exploit. A program which just happens to use the system 
> call as it is
> intended to be used isn't any more dangerous than any other code.

Sorry this thread keeps getting taken further out of context on each
reply.

Yes I understand there is nothing inherently wrong with the concept
of the vmsplice() system call and it adds a lot of benefit to the
Linux kernel.

But if an application uses a system call, and that call to the system
API depends on user input that isn't properly checking bounds, then said
application can be used as a vector to system penetration.

That is all I am saying and was asking if anybody knew if such a
vector existed in any PHP, Perl or CGI module as it would be the most
likely method of leveraging the flaw if one did not have a shell account
on that machine.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.




More information about the CentOS mailing list