This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux
kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but
not over an SSH session, as it requires execution from within the context of
a user with an active Polkit agent.
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles
the recording of the credentials of a process that wants to create a ptrace
relationship, which allows local users to obtain root access by leveraging
certain scenarios with a parent-child process relationship, where a parent drops
privileges and calls execve (potentially allowing control by an attacker). One
contributing factor is an object lifetime issue (which can also cause a panic).
Another contributing factor is incorrect marking of a ptrace relationship as
privileged, which is exploitable through (for example) Polkit's pkexec helper
- Jann Horn
- bcoles <email@example.com>