Re: [cobalt-security] NEW local exploit

[Peter Batenburg <peter@xxxxxxxxxx>]

Making this exploit public would not be a good idea. But this exploit is real.
Im not a hacker, so i wouldnt know what it precisely does. I only know that 
it works. It has been verified by many ppl now.
I also didn't discover this. I only got the exploit.

At 14:54 15-4-2001 +0100, you wrote:

> Have you posted this vulnerability to BUGTRAQ or any other sites?
>
> I am happy for you to have discovered a 'nice' new vulnerability but without
> either the source code or a full disclosure of what is happening your post
> here is pretty useless.
>
> Adam
>
> *********** REPLY SEPARATOR  ***********
>
> On 15/04/2001 at 15:31 Peter Batenburg wrote:
>
> >Hello,
> >
> >Today i got a nice new local root exploit from a friend of mine. It gives
> >local root in an instant with every kernel and setuid executable available
> >(even 2.4)
> >Proof:
> >[host host]$ id
> >uid=131(host) gid=100(users) groups=100(users),111(site-adm),119(site8)
> >[host host]$ ./prak /usr/bin/crontab
> >bug exploited successfully.
> >enjoy!
> >bash# id
> >uid=0(root) gid=0(root) groups=100(users),111(site-adm),119(site8)
> >bash#
> >
> >This is with a RaQ4r: Linux ********** 2.2.14C11 #2 Wed Jun 28 00:55:51
> >PDT
> >2000 i586 unknown
> >
> >On a RaQ3: Linux ******** 2.2.14C10 #3 Wed Jun 21 15:05:10 JST 2000 i586
> >unknown
> >
> >[bb@***** bb]$ id
> >uid=174(bb) gid=100(users) groups=100(users)
> >[bb@***** bb]$ ./prak /usr/bin/crontab
> >bug exploited successfully.
> >enjoy!
> >bash# id
> >uid=0(root) gid=0(root) groups=100(users)
> >bash#
> >
> >Hopefully cobalt will release a patched kernel within some weeks.
> >People from cobalt can contact me for the source.