{"id":289,"date":"2006-07-14T11:31:18","date_gmt":"2006-07-14T11:31:18","guid":{"rendered":"https:\/\/www.darknet.org.uk\/2006\/07\/linux-kernel-26x-prctl-core-dump-handling-local-r00t-exploit-bid-18874-cve-2006-2451\/"},"modified":"2015-09-09T19:43:48","modified_gmt":"2015-09-09T11:43:48","slug":"linux-kernel-26x-prctl-core-dump-handling-local-r00t-exploit-bid-18874-cve-2006-2451","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2006\/07\/linux-kernel-26x-prctl-core-dump-handling-local-r00t-exploit-bid-18874-cve-2006-2451\/","title":{"rendered":"Linux Kernel 2.6.x PRCTL Core Dump Handling – Local r00t Exploit ( BID 18874 \/ CVE-2006-2451 )"},"content":{"rendered":"

[ad]<\/p>\n

A working version of the exploit used to escalate privileges to root in the recent Debian breakin<\/a>, ah another root kernel exploit.<\/p>\n

It’s to do with the way the kernel handles file permissions (or lack of) on core dumps.<\/p>\n

Linux kernel is prone to a local privilege-escalation vulnerability.<\/p>\n

A local attacker may gain elevated privileges by creating a coredump file in a directory that they do not have write access to.<\/p>\n

A successful attack may result in a complete compromise.<\/p>\n

Linux kernel versions prior to 2.6.17.4 are vulnerable.<\/p>\n

\/*****************************************************\/
\n\/* Local r00t Exploit for: *\/
\n\/* Linux Kernel PRCTL Core Dump Handling *\/
\n\/* ( BID 18874 \/ CVE-2006-2451 ) *\/
\n\/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) *\/\n\/* By: *\/\n\/* - dreyer (main PoC code) *\/
\n\/* - RoMaNSoFt (local root code) *\/
\n\/* [ 10.Jul.2006 ] *\/
\n\/*****************************************************\/<\/p>\n

#include stdio.h
\n#include sys\/time.h
\n#include sys\/resource.h
\n#include unistd.h
\n#include linux\/prctl.h
\n#include stdlib.h
\n#include sys\/types.h
\n#include signal.h<\/code><\/p>\n

You can download it here:<\/p>\n

<\/p>\n

Linux Kernel 2.6.x PRCTL Core Dump Handling Exploit<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[ad] A working version of the exploit used to escalate privileges to root in the recent Debian breakin, ah another root kernel exploit. It’s to do with the way the kernel handles file permissions (or lack of) on core dumps. Linux kernel is prone to a local privilege-escalation vulnerability. A local attacker may gain elevated […]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[10,6],"tags":[37,353,8859,866,57],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/289"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=289"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/289\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}