On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler wrote: > Afaik: 2.4.23 contains literally 100s of changes, one of these was a > small change to do_brk(), which looked like a normal non-critical > bugfix to everybody involved. Some time later Debian was hacked and > backtracing how the intruder got superuser privileges revealed that > that the do_brk() without the "small change" was guilty, it had been > no simple bug but a local privilege escalation issue.
Thanks Andreas! My understanding is that the do_brk vulnerability allowed access to kernel address space. It seems a lot of work is needed to move from that freedoom to spawning a root shell. I'd be interested in seeing a worked example. -- Jon Dowland http://jon.dowland.name/
