Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] PaX privilege elevation security bug

from [pageexec] Network Security [Permanent Link]
Subject: [Full-Disclosure] PaX privilege elevation security bug
Date: Sat, 05 Mar 2005 01:43:44 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                PaX privilege elevation security bug

Severity:       critical

Description:    unprivileged users can execute arbitrary code with
                the privileges of the target in any program they or
                other users can execute

                it is definitely exploitable for local users,
                remote exploitability depends on how much control
                one can have over executable file mappings in the
                target

Affected
versions:       all releases since 2003 September
                (when vma mirroring was introduced)

Affected
configurations: anyone having SEGMEXEC or RANDEXEC (vma mirroring)
                in the kernel's .config file

Fixed versions: patches released today, see http://pax.grsecurity.net

Mitigation:     echo "0 0" > /proc/sys/vm/pagetable_cache

                this will eliminate the obvious exploit vector only,
                patching is still unavoidable

Technical details will be posted to the dailydave mailing list,
probably early next week.

This is a spectacular fuckup, it pretty much destroys what PaX has
always stood and been trusted for. For this and other reasons, PaX
will be terminated on 1st April, 2005, a fitting date... Brad Spengler
offered to take it up but if you're interested in helping as well,
contact pageexec@freemail.hu.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQikAPJVtI2Y58IG/EQJbjQCfe0KzZvFRQhzIImxBsbaOBvmQOTcAoIwk
0mFNuwmsx2F3efahYd3bU3mT
=yPeF
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] PaX privilege elevation security bug, pageexec <=
Previous by Date:  Re: [Full-Disclosure] "No such thing as spyware", Egoist
Next by Date:  Re: [Full-Disclosure] Bios programming..., dk
Previous by Thread:  [Full-Disclosure] MDKSA-2005:051 - Updated cyrus-imapd packages fix vulnerabilities, Mandrakelinux Security Team
Next by Thread:  [Full-Disclosure] [OFFTOPIC] Forensics, Macy Gasp
Indexes:  [Date] [Thread] [Top] [All Lists]