header-logo
Suggest Exploit
vendor:
Enterprise Linux
by:
Spender
7,2
CVSS
HIGH
SELinux Bypass
264
CWE
Product Name: Enterprise Linux
Affected Version From: 2.4
Affected Version To: 2.6
Patch Exists: YES
Related CWE: CVE-2009-2692
CPE: o:redhat:enterprise_linux
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2009

Red Hat SELinux Vulnerability

This exploit is related to a vulnerability in Red Hat SELinux which allows an attacker to bypass the security policy and gain root access. The exploit was discovered by Julien Tinnes and Tavis Ormandy and was patched by Linus Torvalds in 2009. The exploit is based on a 8 year old vulnerability.

Mitigation:

The vulnerability can be mitigated by applying the patch released by Linus Torvalds in 2009.
Source

Exploit-DB raw data:

/* dedicated to my best friend in the whole world, Robin Price
   the joke is in your hands

   just too easy -- some nice library functions for reuse here though

   credits to julien tinnes/tavis ormandy for the bug

   may want to remove the __attribute__((regparm(3))) for 2.4 kernels,
   I have no time to test

spender@www:~$ cat redhat_hehe
I bet Red Hat will wish they closed the SELinux vulnerability when they
were given the opportunity to.  Now all RHEL boxes will get owned by
leeches.c :p

fd7810e34e9856f77cba67f291ba115f33411ebd 
d4b0e413ebf15d039953dfabf7f9a2d1

thanks to Dan Walsh for the great SELinux bypass even on "fixed" SELinux 
policies

and nice work Linus on trying to silently fix an 8 year old 
vulnerability, leaving vendors without patched kernels for their users.

  use ./wunderbar_emporium.sh for everything

don't have mplayer? watch an earlier version of the exploit at:
http://www.youtube.com/watch?v=arAfIp7YzZ4

*/

http://www.grsecurity.net/~spender/wunderbar_emporium.tgz
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9435.tgz (2009-wunderbar_emporium.tgz)

# milw0rm.com [2009-08-14]