vendor:
Metasploit
by:
0a29406d9794e4f9b30b3c5d6702c708
7,2
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: Metasploit
Affected Version From: Metasploit < 4.4.0
Affected Version To: Metasploit < 4.4.0
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, Unix, BSD
2012
Metasploit pcap_log Local Privilege Escalation
Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within. This, and all the other packets, are appended to /etc/passwd. Successful exploitation results in the creation of a new superuser account.
Mitigation:
Remove /tmp/msf3-session*pcap files and truncate /etc/passwd.
