Re: [Full-disclosure] Breaking the links: Exploiting the linker
--nextPart26930034.TD2HH6Lf0x
Content-Type: Text/Plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
CVEs have now been assigned to the two previously reported bugs as follows:
> 1) http://www.nth-dimension.org.uk/downloads.php?id=3D83 - Privesc attack
> using DB2 from normal user to root, the PoC is for Linux but based on
> testing the AIX version looks iffy too although I couldn't get gcc to
> generate a valid library to exploit it.
CVE-2011-4061. FWIW I now have a version of the exploit for this working o=
n=20
AIX, based on a copy of kbbacf1 from IBM Tivoli Monitoring 6.1.0.6. It=20
therefore appears that the vulnerable version of kbbacf1 isn't just shipped=
=20
with DB2.
> 2) http://www.nth-dimension.org.uk/downloads.php?id=3D80 - Generic attack=
on
> the QNX runtime linker which abuses an arbitrary file overwrite and race
> condition to get root.
CVE-2011-4060.
Cheers,
Tim
=2D-=20
Tim Brown
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
--nextPart26930034.TD2HH6Lf0x
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCAAGBQJOmx94AAoJEPJhpTVyySo7i3UQANl6fJSQwvDmv2N75RhIS1Gu
XwIWDr8dBJaCw5Jmy72Lw6xIqxQ9CBiWsuB7KTUSBp3o81EccBpBRZ4wc2NU9nFQ
kKm5BqQe4QhvS9o299sIgpO8JT+DcihITGAj/Zf6Cm+w35pwndLi0TForSf7HJA6
dQ1sgUd+6eeDBrPw6o0nJAbuQKCW0dRhf2GUhcAWCB5AAHj2nJsAhhPPt200oZev
nofCSObju+GNWbCFbRX1kVh3lbXcNBLnm/Gp8KqRwQIQGDfYmnNzdxe+5UStT9WS
y1dVdd6/1T/CnGMQuZPqzVXgMpZQBDTlU6brCIQzfaACWNvfJueMCvrZPhasJ9Tz
hMk+DZ+z9mBWpsZd1t1umKumoKyNttsxdhHYzEquDuXT4pOHfX442sy3366/EKOJ
KMiDrwZ8llBT/hQOLV0kf8WOp5TqQQWsYk5ISftQT/Iyu8OnbmLfud7MIzWFvk1O
Iabw4SLK3DvQuYRVIYP97a6OJAmI5TNlwS5sdH4QYFJcSpMW6fO7d/Vwgm/P0o5M
E0LPc9zmC0A0qyoLg5LzeYk01KJfzJhKg7OpgOrwxHNFSKpipOpx82hgeJh52gEs
IuRFtAkhQ8otygIt2zJLgcsG+BSWf8oZQiAK49Z96GZcJlNnJBKYmOQr2h02rsFR
R6N76QIpD+DBFgjjHI7z
=ZUep
-----END PGP SIGNATURE-----
--nextPart26930034.TD2HH6Lf0x--