How i've used a recent vulnerability in linux to gain root access and troubleshoot a fedora desktop machine

polendina

New Member
Joined
Dec 3, 2021
Messages
5
Reaction score
0
Credits
51
Recently i was attempting to downgrade from fedora 36-rawhide to fedora 35-stable, and during this process i've lost the sudo command, and didn't have a pre-existing root account, so i've later on tried to access rescue mode by editing the bootloader options, but as i didn't have root account -as starting from fedora 28 it's not mandatory to make one during installation- its resulted in an error. After looking it up, it turned out to be no other way to execute root tasks, but through an external live disk. I recalled a vulnerability published on telegram, but never really looked into it prior to that. I looked it up back again, ran the c file, and voila i was granted root access to my own machine, then i was able to resume my administrative tasks. What's even more odd, is the fact that the original author's writeup stated that "The vulnerability was fixed in Linux 5.16.11", but it still worked even on my current bleeding edge kernel version 5.17.0-0.rc2.83.fc36.x86_64.
 
Last edited:


Thanks for that interesting finding. Your kernel 5.17.0-0.rc2 however, is not a stable release, rather an "rc" which is a "release candidate" which has been released for testing and analysis, so one would expect when it's final state of stability is arrived at after the analytical scrutiny, that the "dirty pipe vulnerability" will have been dealt with. The current stable kernel is 5.16.13, which I expect wouldn't have the vulnerability, but I haven't checked it myself. The story of the discovery of the flaw was most interesting.

On the matter of losing your sudo command and having no root access, you may have been able to boot to a root shell in single mode from the grub prompt and then run passwd to regain root control.
 
@polendina said, . . . as starting from fedora 28 it's not mandatory to make one during installation- its resulted in an error.

I agree with @NorthWest -- going into single mode is far easier, if this is allowed in your disto.

Re: recently discovered vulnerability, perhaps eliminate sudo?
 

Members online


Top