vendor:
N/A
by:
Sebastian Krahmer
7,2
CVSS
HIGH
Local Privilege Escalation
264
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2013
darklena. fprintd/pam_fprintd local root PoC
pam_fprintd uses net.reactivated.Fprint service to trigger finger swiping and registers DBUS signal inside the PAM authentication function. Since there is no message filter registered in either pam_fprintd, nor inside dbus-glib which it is using, such signals can be spoofed by anyone. To test this PoC, start a service (su is fine) as user that is using pam_fprintd. On a second xterm, when you see 'Swipe your ... finger' message start this PoC and you will notice that a rootshell is spawned in the first xterm w/o giving your finger.
Mitigation:
Ensure that message filters are registered in either pam_fprintd, nor inside dbus-glib which it is using.
