Linux ACPI custom_method Privilege Escalation
Past November 13rd a fix was commited in the Linux kernel. For some reason /sys/kernel/debug/acpi/custom_method was world writable, allowing any user to inject custom ACPI methods into the ACPI interpreter tables.
As the RedHat bug report explains, it was introduced in this commit (Linux 2.6.33)
/drivers/acpi/debug.c
cm_dentry = debugfs_create_file("custom_method", S_IWUGO,
acpi_dir, NULL, &cm_fops);
S_IWUGO is a macro that grants world writable permissions
source/include/linux/stat.h
#define S_IWUGO (S_IWUSR|S_IWGRP|S_IWOTH)
The fix changes the permissions to S_IWUSR, that is a macro that grants write access to the owner (root)
An exploit already exists for this vulnerability.